Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Windows Networking > IPSec Blocking is not working

Reply
Thread Tools Display Modes

IPSec Blocking is not working

 
 
Kevin K
Guest
Posts: n/a

 
      04-16-2007, 01:38 PM
I've successfully used IPSec Policies to block specific devices and or ports
from communicating with domain members.

Now there's this new DNS server vulnerability -- one of the suggested
methods is to use IPSec to block ports above 1024.

Now in IPSec I don't know if it's possible to block port ranges. You can
allow/deny individual ports, but I haven't seen any way to specify a range.

In this case I workied around this. I created an IPSec policy that allows
only specific subnets the "allow" rule.

Now in the KB link that is provided it says something like "if you create an
allow rule, you must also create a deny rule, otherwhise it will just allow
all traffic". This indeed was the case.

So I created a second rule in the policy to deny all traffic. I'm thinking
here that the policy engine is smart enough to merge these two together.
After all the KB article suggested this.

However when I did this, it acts as if the "permit" rule is being ignored
and just blocks everything.

Does anyone know if I am doing anything wrong here? How can you combine
allow and deny rules in IPSec to restrict to only specific devices or subnets
for example?

Thanks!
 
Reply With Quote
 
 
 
 
Phillip Windell
Guest
Posts: n/a

 
      04-16-2007, 02:11 PM
"Kevin K" <(E-Mail Removed)> wrote in message
news:52492C11-6118-4A62-9DEE-(E-Mail Removed)...
> I've successfully used IPSec Policies to block specific devices and or ports
> from communicating with domain members.
>
> Now there's this new DNS server vulnerability -- one of the suggested
> methods is to use IPSec to block ports above 1024.

That would be insane,...plain rediculas,...why would anyone suggest something so
rediculas.

What difference does the so-called vulnerability make when your DNS is on the
internal LAN and not exposed to the Internat and is not the Publicly
Authoritative DNS for whatever Public Domain Name you have, and does not have
public machines/users querying it for resolution of your Public Domain Name?

Patch the machine with the patch when it is released and forget it.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------
 
Reply With Quote
Reply

« IIS6 / Connection Limit | Doesnt see netowork »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSEC policy - replication not working Ketil Windows Networking 0 06-28-2007 11:18 AM
IPSec: net-to-net config not working Jarek Linux Networking 4 08-29-2005 07:33 AM
IPSEC not blocking specific IP address per Ethereal Alfredo Windows Networking 13 04-21-2005 05:38 AM
My MN-500 is blocking the IPSec port (500) Broadband Hardware 0 08-22-2004 01:39 AM
IPSec policie is not working like it should Arjen Windows Networking 2 04-14-2004 07:09 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11