Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Security > General Security
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

IPsec question

IPsec question

this thread has 10 replies and has been viewed 1317 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 22nd March 2012, 21:46
Bertmax's Avatar
Bertmax Bertmax is offline
Junior Member
Staying around
 
 Join Date: Mar 2012
  6 month star 12 month star
 Location: Brandon, MS
 Posts: 229
 Reputation: Bertmax is on a distinguished road (47)
Default IPsec question

OK, for one reason or another, we still have some Windows 2000 PCs on the network (public school district), and they are causing havoc, either by being exploited or viral infection (some of them don't have the resources to run our AV program). Our domain controllers are being hammered with authentication requests, most of which are bad. I know this because we get more failed security audits than we do successful ones and the system event log is nothing but SAM errors.

I've been told that there is a way of combating this via an IPsec policy, that it can be used to challenge and block requests that come from Windows 2000 machines, but I've never fooled with IPsec and it's not very intuitive. Any ideas out there?
  #2  
Old 23rd March 2012, 01:18
JeremyW JeremyW is offline
Moderator
 
 Join Date: May 2006
  6 month star 12 month star
 Location: Washington DC metro area
 Posts: 3,765
 Reputation: JeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to allJeremyW is a name known to all (550)
Default Re: IPsec question

I don't think IPSec will help in this situation.

I think you need to work on your perimeter defense and locking down your workstations. Having AV/IPS at the gateway and limiting the functionality on the workstaions (e.g. disable USB and CD drives on the Win 2000 machines) will go a long way to mitigate the issues.

Start cleaning up the machines (or rebuild them, it might be faster) and then lock them down tight.
__________________
Regards,
Jeremy

Network Consultant/Engineer
Baltimore - Washington area and beyond
www.gma-cpa.com
  #3  
Old 23rd March 2012, 03:13
wullieb1 wullieb1 is offline
Moderator
 
 Join Date: Jul 2005
  6 month star 12 month star
 Location: Brisbane, Australia
 Posts: 6,964
 Reputation: wullieb1 is a splendid one to beholdwullieb1 is a splendid one to beholdwullieb1 is a splendid one to beholdwullieb1 is a splendid one to beholdwullieb1 is a splendid one to beholdwullieb1 is a splendid one to beholdwullieb1 is a splendid one to behold (779)
Default Re: IPsec question

Quote:
Originally Posted by JeremyW View Post
I don't think IPSec will help in this situation.

I think you need to work on your perimeter defense and locking down your workstations. Having AV/IPS at the gateway and limiting the functionality on the workstaions (e.g. disable USB and CD drives on the Win 2000 machines) will go a long way to mitigate the issues.

Start cleaning up the machines (or rebuild them, it might be faster) and then lock them down tight.
This is probably the most effective way of dealing with this.

Your edge network needs to be pretty tight and secure and desktops need to be locked down to stop this happening.

Have you removed Admin rights from the users???
  #4  
Old 23rd March 2012, 19:12
auglan's Avatar
auglan auglan is offline
Moderator
 
 Join Date: Apr 2010
  6 month star 12 month star
 Location: Raleigh, NC
 Posts: 1,214
 Reputation: auglan has a spectacular aura aboutauglan has a spectacular aura aboutauglan has a spectacular aura about (219)
Default Re: IPsec question

Defending at the network edge is the ideal place to start. Dont forget about internal security as well. Another good option is to implement dhcp snooping, dynamic arp inspection and ip source guard. This will stop ip spoofing attacks and man in the middle attacks on your layer 2 network. If you want to really lock it down use 802.1x authentication.
  #5  
Old 26th March 2012, 18:08
Bertmax's Avatar
Bertmax Bertmax is offline
Junior Member
Staying around
 
 Join Date: Mar 2012
  6 month star 12 month star
 Location: Brandon, MS
 Posts: 229
 Reputation: Bertmax is on a distinguished road (47)
Default Re: IPsec question

OK, for further clarification, reloading some of these machines isn't possible, due to their lack of resources (in other words, they can't even run XP effectively). Can't take them off the wire, because our department is micro-managed by superintendents who don't understand technology. All they see is that there is a classroom with no computer in it, and that can't happen. Moving PCs around isn't an option most times, because a lot of the computers in the district were bought with grants, so a PC that was bought for the classroom can't be used by administrative personnel. The traffic is so bad on our network, if we didn't have our ASA working backwards, we wouldn't be able to connect to a lot on the web due to the amount of traffic we generate.

We have a Cisco IPS on the network, but the problem is, it doesn't know that the request is bad. All the IPS sees is that a computer is sending an authentication request, and it's not recognized as bad until it hits the DC. The DC recognizes the request is invalid and rejects it, but I was told that IPsec could be configured to block requests that come from certain machines. My only objective with this thread is to free up one of the domain controllers so that it can run various scripts without being innundated by these requests.

I get how stupid it is to still have these computers online, but that decision is made above my head. If it were up to me, I'd replace them all, but it's not.
  #6  
Old 26th March 2012, 18:37
auglan's Avatar
auglan auglan is offline
Moderator
 
 Join Date: Apr 2010
  6 month star 12 month star
 Location: Raleigh, NC
 Posts: 1,214
 Reputation: auglan has a spectacular aura aboutauglan has a spectacular aura aboutauglan has a spectacular aura about (219)
Default Re: IPsec question

Not much you can do then if you told them the consequences of this continuing. It may come down to your public ip space getting blacklisted or your ISP stopping service all together. Hard to believe a public school district would operate like that.
  #7  
Old 26th March 2012, 20:54
Bertmax's Avatar
Bertmax Bertmax is offline
Junior Member
Staying around
 
 Join Date: Mar 2012
  6 month star 12 month star
 Location: Brandon, MS
 Posts: 229
 Reputation: Bertmax is on a distinguished road (47)
Default Re: IPsec question

Hard for me to believe to. And that's exactly why we have our ASA functioning backwards, so we don't get blacklisted. Gotta keep all that bad traffic in-house!

Only thing the public school system sees is cost. They have no idea how to run a technology department, and thanks to the spinelessness of my boss, they aren't being told by us, either. So, I'm stuck looking for outlandish work-arounds, such as using IPsec to block Windows 2000 machines from reaching certain domain controllers. We've probably spent more on work-arounds the last couple years than we would have if we'd been able to replace all these computers.
  #8  
Old 26th March 2012, 21:06
Ossian Ossian is offline
Administrator
 
 Join Date: Nov 2003
  6 month star 12 month star
 Location: Bonnie Scotland
 Posts: 16,677
  Send a message via Skype™ to Ossian
 Reputation: Ossian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant futureOssian has a brilliant future (1520)
Default Re: IPsec question

I presume you have covered your posterior and put all your concerns in writing?

It would be awful if your older machines were to suffer an unfortunate accident -- I'm sure replacement parts must be a bit difficult to get if, say, a capacitor on the MoBo was to just fall off
__________________
Tom Jones
MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
PhD, MSc, FIAP, MIITT
IT Trainer / Consultant
Ossian Ltd
Scotland

** Remember to give credit where credit is due and leave reputation points where appropriate **
  #9  
Old 26th March 2012, 22:15
RicklesP's Avatar
MVM RicklesP RicklesP is offline
Member
MVM
 
 Join Date: Mar 2010
  6 month star 12 month star
 Location: Linconlshire, UK
 Posts: 476
 Reputation: RicklesP will become famous soon enoughRicklesP will become famous soon enough (145)
Default Re: IPsec question

May be a bit late here, but wouldn't the IPSec issue also cause more performance issues on the network? The only thing you really use IPSec for is to hide the contents of the network packets as they transit the wire. The problem is, the encrypt/decrypt has to take place at both ends, so both source & destination machines would slow down.

If memory serves, Windows 2000 doesn't speak IPSec, which may be why it was suggested. If those hosts can't follow the IPSec policy req't enforced at the DC, they can't talk to it.

Assuming there's at least one switch/router between the Win2000 hosts and the DC in question, wouldn't it be easier to simply assign all the hosts to a single subnet/VLAN with manual addressing, and put an ACL on a switch/router port which blocks that subnet from talking to the DC? Since upgrades and best practice don't seem to apply here, at least this wouldn't cost any extra money, just some time to implement.
  #10  
Old 26th March 2012, 22:16
auglan's Avatar
auglan auglan is offline
Moderator
 
 Join Date: Apr 2010
  6 month star 12 month star
 Location: Raleigh, NC
 Posts: 1,214
 Reputation: auglan has a spectacular aura aboutauglan has a spectacular aura aboutauglan has a spectacular aura about (219)
Default Re: IPsec question

Yes make sure you have something in writing to cover yourself.
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Design question - IPSEC client with certs gizbri Cisco Security PIX/ASA/VPN 0 11th March 2011 19:00
Firewall Question re - Windows IP Security Policies (IPSec) Ryzz Windows Server 2008 / 2008 R2 1 16th July 2009 08:05
GPO with IPSEC will.ton GPO 2 8th February 2008 21:07
IPSEC what do I do ? wazzie General Security 2 14th August 2007 11:13
IPSec VPN Mihail Kravsun Windows Server 2000 / 2003 / 2003 R2 1 16th March 2006 10:43


All times are GMT +3. The time now is 07:30.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri