Over the last week or so, I've noticed a fairly large number of 'script/worm/hack' attempts on our Windows 2000 test server. The server is patched & protected, so the attempts do no damage, but they are something that I'm happy to do without.

After blocking all ICMP traffic, these attempts have almost stopped. So blocking ICMP would seem to be a good counter-measure, but I was wondering if there is any reason why blocking ICMP is not a good idea?

It did stress our hosting-provider for a few days, because I did not think to tell them that I'd blocked ICMP, and their 'monitoring system' continued to report that our server was down. :) They now monitor port 80. :p
I've also allowed ICMP only for my IP, and the IP's of our other servers, so we can test-ping the machine with no problems.

After the well-publicised DOS attacks on MS, Yahoo etc, I notice that many high profile websites do not reply to ping's - maybe they have done something similar?

It's really not a bad idea to block all ICMP traffic, but it can be a little difficult to diagnose problems if they come-up.

Just out of curiosity, how are you blocking ICMP traffic on your W2K box?

I used IPSec Policies. A little bit tedious to setup, but I can copy/export it to other W2k servers now. ;)

But it's even useful to ‘blacklist’ any IP’s that I don’t like the look of.

Set rules to keep the major ports open - deny anything else - block ICMP. As long as I've got access to the box it's about 3 or 4 mouse clicks to remove the policy, if you’re troubleshooting. :)

Mind you, there were some very nervous moments when I first used the policy remotely. When testing on my machine here, I managed to block all network access, and that’s not something I'd want to do to a machine that is 1/2 a world away. :p

*sigh*

Block echo packets if you must, but don't block all ICMP packets: At very least, you should allow type 3 code 4 (can't fragment) packets through. Blocking those will break path MTU discovery.

Thanks cperciva, I knew someone would come up with a reason why it was not such a good idea ... hence my question. :confused:

Unfortunatly it seems to be 'block all ICMP' or 'allow all ICMP' are the only choices ... oh well ... maybe I'll have to invest in some razor-wire or another method of keeping the 'baddies' out. :D

At least now I know what to Google for:
http://www.onlamp.com/pub/a/bsd/2001/04/04/FreeBSD_Basics.html

Block echo packets if you must, but don't block all ICMP packets: At very least, you should allow type 3 code 4 (can't fragment) packets through. Blocking those will break path MTU discovery.We block all ICMP traffic on most of our sensitive servers and have never had any problems at all. While I have had heard of this problem, I have yet to experience it with W2K. (you can read up on filtering ICMP @ http://www.worldgate.com/~marcs/mtu/)

Oh yeah, wolfy you cannot select which type of ICMP traffic in IPSec policies. It's all or nothing :(

Originally posted by RackMy.com
We block all ICMP traffic on most of our sensitive servers and have never had any problems at all.

*Most* of the internet works on 1500 byte IP packets now. But there are still a few places -- satellite linkes come to mind -- where you'll see smaller MTUs.

The problem with breaking MTU discovery is that your packets will end up being dropped without any trace; in that respect it appears as if the remote server is simply unavailable.

The fact that you haven't *noticed* PMTU-related problems doesn't mean that there weren't any.

I hear ya :) but really, how much of the net does not use 1500 byte IP packets.

Which ones would you say to leave available?

It s a good way to protect your server from DOS attacks, but makes it a little difficult to solve issues.

I have to agree with cperciva. You don't want to block all ICMP. I block echo requests to some things like the name servers, but I can't see anything else as being a problem.

I'm curious to know what ICMP types are causing problems with your windows servers. Mind sharing?

Originally posted by Wolfy
I used IPSec Policies. A little bit tedious to setup, but I can copy/export it to other W2k servers now. ;)

But it's even useful to ‘blacklist’ any IP’s that I don’t like the look of.

Set rules to keep the major ports open - deny anything else - block ICMP. As long as I've got access to the box it's about 3 or 4 mouse clicks to remove the policy, if you’re troubleshooting. :)

Mind you, there were some very nervous moments when I first used the policy remotely. When testing on my machine here, I managed to block all network access, and that’s not something I'd want to do to a machine that is 1/2 a world away. :p

How does IPSec buy you anything? From working on VPN and security equipment every day for the past few years, I can tell you that IPSec is authentication, encryption and integrity services at the IP datagram layer. This has nothing to do with filtering but plenty to do with say, setting up a VPN.

Originally posted by cperciva
*sigh*

Block echo packets if you must, but don't block all ICMP packets: At very least, you should allow type 3 code 4 (can't fragment) packets through. Blocking those will break path MTU discovery.

icmp echo is nice if you want to know if your servers are up. I would say filter based on source if you must at all.

This has nothing to do with filteringWith W2K, you can use IPSec policies to block certain ports and protocols. It can be used as a poor man's firewall, so yes it has everything to do with filtering :)

Originally posted by RackMy.com
With W2K, you can use IPSec policies to block certain ports and protocols. It can be used as a poor man's firewall, so yes it has everything to do with filtering :)

I don't think you know what IPSec is... So here's a refresher:

From http://www.rsasecurity.com/rsalabs/faq/5-1-4.html:

5.1.4 What is IPSec?


The Internet Engineering Task Force (IETF)'s IP Security Protocol (IPSec) working group is defining a set of specifications for cryptographically-based authentication, integrity, and confidentiality services at the IP datagram layer. IPSec is intended to be the future standard for secure communications on the Internet, but is already the de facto standard. The IPSec group's results comprise a basis for interoperably secured host-to-host pipes, encapsulated tunnels, and Virtual Private Networks (VPNs), thus providing protection for client protocols residing above the IP layer.

The protocol formats for IPSec's Authentication Header (AH) and IP Encapsulating Security Payload (ESP) are independent of the cryptographic algorithm, although certain algorithm sets are specified as mandatory for support in the interest of interoperability. Similarly, multiple algorithms are supported for key management purposes (establishing session keys for traffic protection), within IPSec's IKE framework.

The home page of the working group is located at


http://www.ietf.org/html.charters/ipsec-charter.html.



This site contains links to relevant RFC documents and Internet-Drafts.


So, yeah, you can set policies... to restrict IPSec traffic (since it typically appears as just another interface in most sane network devices).

Again, I've worked on this stuff every day for the past 2-3 years, so I'm fairly certain I know what I'm talking about. Perhaps you are one-off in your terminology.

manmythlgnd, I don't want to split-hairs with you, but as RackMy.com mentioned with W2k you can use an IPSec policy as a 'poor mans firewall'.

The server in question is a test box and costs very little to host, where are no firewall facilities etc. provided. So I have just been looking for other options to increase the 'security' level on the machine.

The IPSec policy allows rules to be setup.
If incoming or outgoing packets match the rules, they will be dropped or permitted, according to the rules set. These rules are set under the "IP Security Policies" heading, and have the effect of either permitting or denying traffic to the machine.

While this may not be what IPSec was designed for, it works for blocking or permitting mostly any kind traffic based on a variety of rules.

But anyway ... the question I was wondering about has been answered. :)

I don't think you know what IPSec isUm, yeah I know what IPSec is and how to use it :) but I think Wolfy explained it pretty well.

So, Wolfy what are you going to do?

That's nothing, i did this blunder:

Start > Network > then selected the network interface, on bringing it up i click "disable" instead of the "properties" button right next to it, DON'T try that one when the server room isn't next door. LOL great way to kill your server until some tech is nice enough to turn it back on for yah.

I know that one, then I wonder why I can't get out to the 'Net on that server :)

Originally posted by Wolfy
manmythlgnd, I don't want to split-hairs with you, but as RackMy.com mentioned with W2k you can use an IPSec policy as a 'poor mans firewall'.

The server in question is a test box and costs very little to host, where are no firewall facilities etc. provided. So I have just been looking for other options to increase the 'security' level on the machine.

The IPSec policy allows rules to be setup.
If incoming or outgoing packets match the rules, they will be dropped or permitted, according to the rules set. These rules are set under the "IP Security Policies" heading, and have the effect of either permitting or denying traffic to the machine.

While this may not be what IPSec was designed for, it works for blocking or permitting mostly any kind traffic based on a variety of rules.

But anyway ... the question I was wondering about has been answered. :)

This is like the blind leading the blind...

"IP Security Policies" != IPSec

This may not be what IPSec is designed for, because this is not IPSec. Honestly guys, if this thread took place on NANOG or some other similar, you would have been laughed off the mailling list by now. Do you guys just not get it or something?

Does it do ESP payload encryption? AH? No. Well, then it's not IPSec. It's something called "IP Security". That's not IPSec. Read a book, please.

Originally posted by RackMy.com
Um, yeah I know what IPSec is and how to use it :) but I think Wolfy explained it pretty well.

So, Wolfy what are you going to do?

The blind leading the blind part 2...

Since you're an expert in IPSec and how to use it, perhaps you can help me with this problem I've been having.

See, I have a cisco PIX and an unfortunate windows box at a remote location that only speaks PPTP, which we all know is just bastardized IPSec wrapped in GRE. The problem is, using these devices and the limitation of said windows box, I need to establish an encrypted tunnel of some sort and the problem is the PIX only speaks PPTP in gateway mode and not tunnel mode. My only other option is to find some sort of PPTP drivers for one of the unix machines behind the firewall and just point static routes on all machines that need to get over to the other side of the tunnel at said box. What do you think? Oh, and the boxes behind the firewall are behind a PAT proxy (overloaded NAT, basically).

What should I do? I can give you a diagram if it helps.

The heading "IP Security Polices" != IPSec.

If you want to get a clue, here's a good book on IPSec that I have on my bookshelf: "IPSec: The New Security Standard for the Inter- net, Intranets, and Virtual Private Networks" by Naganand Doraswamy and Dan Harkins.

manmythlgnd, lay off! No one said they were using IPSec to do firewalling but using IPSec policy engine to. Why don't you read the post a little more closely. Again, no one here is talking about using ACTUAL IPSec, just the engine.

You may also want to check this out http://www.microsoft.com/SERVICEPROVIDERS/columns/using_ipsec.asp

Originally posted by manmythlgnd

What should I do? I can give you a diagram if it helps.


Hire a consultant.

Oh, and Windows 2000 supports both PPTP, L2TP -- both of which are support by the PIX. If you are running a flavor of Windows other than Windows 2000, you don't know very much about security.

One thing: I am on the NANOG list, and I have yet to see anyone laughed off the list. Most of the people on the list are professionals and they do not attempt to ridicule and degrade others.

Originally posted by uuallan


Hire a consultant.

Oh, and Windows 2000 supports both PPTP, L2TP -- both of which are support by the PIX. If you are running a flavor of Windows other than Windows 2000, you don't know very much about security.

One thing: I am on the NANOG list, and I have yet to see anyone laughed off the list. Most of the people on the list are professionals and they do not attempt to ridicule and degrade others.

They were a little tame on that csu/dsu guy the other day. Interestingly, he as posting from a corp.uu.net address.

Of course, you were looking for an opportunity to make a cheap shot rather than rebut with substance, so let me debunk a few things. Sometimes things have a strict set of requirements that cannot be changed. Ever work with a bank or other finance shop. The point is, it's not my Windows box. NT or 2000, functionally speaking they are the same for this exercise; since it's not mine, it's more of a black box, anyway. Regardless, you have missed some key words. As I said, the PIX only supports PPTP (and L2TP for that matter) in gateway mode. Now, anyone that knows anything about security and anyone who read my problem will know why this is not useful.

I need not hire a consultant; I am a consultant, I was tasked with this problem and I already have the answer. I am just curious if the RackMy.com salesman really does know all about IPSec and how to use it.

manmythlgnd, what you fail to realize and read is that no one is taking about IPSec and how to use it. No one that is, but you :)

Originally posted by manmythlgnd

Of course, you were looking for an opportunity to make a cheap shot rather than rebut with substance....


Oh, I thought that was the game we were playing. I mean you replied with a scenario that was totally unrelated to anything discussed previously, and something to which you already had the answer to -- I guess to show us how smart you are.

So, to stroke your ego...

"Boy, you sure are smarter than I am, I wish I knew as much about VPNs as you do, then maybe I could be a cool guy who gets to be all arrogant on message boards."


Bah.

Originally posted by RackMy.com
manmythlgnd, what you fail to realize and read is that no one is taking about IPSec and how to use it. No one that is, but you :)

Nice diversion from:

"Um, yeah I know what IPSec is and how to use it but I think Wolfy explained it pretty well. "

Well, salesman, don't quit your day job. :)

Originally posted by uuallan


Oh, I thought that was the game we were playing. I mean you replied with a scenario that was totally unrelated to anything discussed previously, and something to which you already had the answer to -- I guess to show us how smart you are.

So, to stroke your ego...

"Boy, you sure are smarter than I am, I wish I knew as much about VPNs as you do, then maybe I could be a cool guy who gets to be all arrogant on message boards."


Bah.

That's an interesting take on things. I just wanted to see if the salesman knew as much as he claimed. As was was proven, he didn't. No need to get all bitter on me.

manmythlgnd,

I was originally confused when they were talking about using "IPSEC", but I soon realized that "IPSec Policies" must refer to the IP Security Policy subsystem in Windows 2000, even though Windows 2000 does also support IPSEC from within the IP Security Policy subsystem.

You're the only one wanting to harrass the poor windows users' use of Microsoft's own terminology for the IP Security Policy subsystem, though.

Your little scenario made no sense. I'm assuming that when you were saying firewall, that you were referring to the Cisco PIX? You never said what was on the other end. You never said what version of Windows. Why you would put forth a scenario about PPTP, when you were trying to show off your IPSEC knowledge, I have no idea.

I don't see how you can say that PPTP is just bastardized IPSEC, but I guess in your mind, it is.

Originally posted by bitserve
<snip>
but I soon realized that "IPSec Policies" must refer to the IP Security Policy subsystem in Windows 2000, even though Windows 2000 does also support IPSEC from within the IP Security Policy subsystem.

You're the only one wanting to harrass the poor windows users' use of Microsoft's own terminology for the IP Security Policy subsystem, though
<snip>

I do believe you are correct on all accounts there bitserve. :)


manmythlgnd, you've made it pretty clear that you do not know too much about "IPSec Policies" or IPSec when it comes to Windows 2000, and I'd suggest that you do some reading up on it before you attempt to provoke or insult others.

There is a whitepaper here: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asp
And more information here: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/profwin/pw0201.asp

But this is the most amusing link of all: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/prodtech/network/ipsecimp.asp
Chapter 9 of IPSec – The New Security Standard for the Internet, Intranets and Virtual Private Networks (Prentice Hall, PTR), By Naganand Doraswamy and Dan Harkins ... now I wonder why Microsoft put a chapter of the 'good book you have on your bookshelf' on their website? ... just for fun??

Given that I clearly referred to Windows 2000 IPSec Policies, there is absolutely nothing wrong with the description that I gave earlier.
Yes you can use them to implement IPSec.
Yes you can use them for ESP encryption.
And yes you can use them as a cheap/easy firewall which is all we’ve been talking about here.

As it turns out "the salesman" knows much more about what we are actually talking about here than you’ve indicated you do. If you’re going to bait Windows users, at least make sure you have some ground to stand on, and don't just go making assumptions, which may not always be correct.

Originally posted by manmythlgnd

That's an interesting take on things. I just wanted to see if the salesman knew as much as he claimed. As was was proven, he didn't. No need to get all bitter on me.

I think Wolfy and Mark did a good job of refuting your arguments, and since I am not a VPN guy, I won't try. I have seen a lot of "consultants" who come to this board trying to show off how smart they are, usually at the expense of others.

You'll find that this is a prertty intelligent bunch, and we usually know what we are talking about. Mike has been around for a while and has been consistently helpful to everyone on the board. No one needs you to test his knowledge, he has repeatedly proved himself.

I just wanted to see if the salesman knew as much as he claimed. As was was proven, he didn't.Who ever said I knew everything or anything about IPSec. No, I am not a security expert nor have I ever claimed to be.Um, yeah I know what IPSec is and how to use it but I think Wolfy explained it pretty well. Again, no one here is talking about IPSec and Wolfy did explain it very well (IPSec Policys on W2K).

Dude, get over yourself!

Originally posted by Wolfy

I do believe you are correct on all accounts there bitserve. :)


manmythlgnd, you've made it pretty clear that you do not know too much about "IPSec Policies" or IPSec when it comes to Windows 2000, and I'd suggest that you do some reading up on it before you attempt to provoke or insult others.

There is a whitepaper here: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asp
And more information here: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/columns/profwin/pw0201.asp

But this is the most amusing link of all: http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/prodtech/network/ipsecimp.asp
Chapter 9 of IPSec – The New Security Standard for the Internet, Intranets and Virtual Private Networks (Prentice Hall, PTR), By Naganand Doraswamy and Dan Harkins ... now I wonder why Microsoft put a chapter of the 'good book you have on your bookshelf' on their website? ... just for fun??

Given that I clearly referred to Windows 2000 IPSec Policies, there is absolutely nothing wrong with the description that I gave earlier.
Yes you can use them to implement IPSec.
Yes you can use them for ESP encryption.
And yes you can use them as a cheap/easy firewall which is all we’ve been talking about here.

As it turns out "the salesman" knows much more about what we are actually talking about here than you’ve indicated you do. If you’re going to bait Windows users, at least make sure you have some ground to stand on, and don't just go making assumptions, which may not always be correct.

Salesman,

Those links had nothing to do with setting up a ghetto firewall as you described. The chapter they put on their web site had everything to do with what I was talking about, however. And you know why they put a chapter of that book on their web site? Because it's all about IPSec (and not the incorrect terminology that they are pushing onto impressionable users such as yourself).

I will admit, you got me there, I do not claim to be an expert in anything Windows related. That is not what I get paid for. That's what desktop support subcontractors / tape monkeys on the come-up are for.

You are talking in circles.

Originally posted by uuallan


I think Wolfy and Mark did a good job of refuting your arguments, and since I am not a VPN guy, I won't try. I have seen a lot of "consultants" who come to this board trying to show off how smart they are, usually at the expense of others.

You'll find that this is a prertty intelligent bunch, and we usually know what we are talking about. Mike has been around for a while and has been consistently helpful to everyone on the board. No one needs you to test his knowledge, he has repeatedly proved himself.

Mr Liska,

I would suggest taking a rhetoric class if you think they did a good job. I have found that that this is not necessarily an intelligent bunch, but that there are a few intelligent people here and there and a lot of people trying to start point and click hosting operations. As I search back in the archives looking for where he has demonstrated any sort of clue, perhaps I missed that post. Judging by his tag line of "following uuallan" I understand the brown spots on your nose.

Originally posted by manmythlgnd

. I have found that that this is not necessarily an intelligent bunch, but that there are a few intelligent people here and there and a lot of people trying to start point and click hosting operations.

Well then, let me be the first to invite you to leave.

This thread has a specific topic, and asked a specific question. It seems that there are many posts which do not address either. Can we please come back towards the point of the thread and end the mindless tangents?

If not, the we'll have to close this up.