Announcement

Collapse
No announcement yet.

IPsec question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPsec question

    OK, for one reason or another, we still have some Windows 2000 PCs on the network (public school district), and they are causing havoc, either by being exploited or viral infection (some of them don't have the resources to run our AV program). Our domain controllers are being hammered with authentication requests, most of which are bad. I know this because we get more failed security audits than we do successful ones and the system event log is nothing but SAM errors.

    I've been told that there is a way of combating this via an IPsec policy, that it can be used to challenge and block requests that come from Windows 2000 machines, but I've never fooled with IPsec and it's not very intuitive. Any ideas out there?

  • #2
    Re: IPsec question

    I don't think IPSec will help in this situation.

    I think you need to work on your perimeter defense and locking down your workstations. Having AV/IPS at the gateway and limiting the functionality on the workstaions (e.g. disable USB and CD drives on the Win 2000 machines) will go a long way to mitigate the issues.

    Start cleaning up the machines (or rebuild them, it might be faster) and then lock them down tight.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: IPsec question

      Originally posted by JeremyW View Post
      I don't think IPSec will help in this situation.

      I think you need to work on your perimeter defense and locking down your workstations. Having AV/IPS at the gateway and limiting the functionality on the workstaions (e.g. disable USB and CD drives on the Win 2000 machines) will go a long way to mitigate the issues.

      Start cleaning up the machines (or rebuild them, it might be faster) and then lock them down tight.
      This is probably the most effective way of dealing with this.

      Your edge network needs to be pretty tight and secure and desktops need to be locked down to stop this happening.

      Have you removed Admin rights from the users???

      Comment


      • #4
        Re: IPsec question

        Defending at the network edge is the ideal place to start. Dont forget about internal security as well. Another good option is to implement dhcp snooping, dynamic arp inspection and ip source guard. This will stop ip spoofing attacks and man in the middle attacks on your layer 2 network. If you want to really lock it down use 802.1x authentication.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: IPsec question

          OK, for further clarification, reloading some of these machines isn't possible, due to their lack of resources (in other words, they can't even run XP effectively). Can't take them off the wire, because our department is micro-managed by superintendents who don't understand technology. All they see is that there is a classroom with no computer in it, and that can't happen. Moving PCs around isn't an option most times, because a lot of the computers in the district were bought with grants, so a PC that was bought for the classroom can't be used by administrative personnel. The traffic is so bad on our network, if we didn't have our ASA working backwards, we wouldn't be able to connect to a lot on the web due to the amount of traffic we generate.

          We have a Cisco IPS on the network, but the problem is, it doesn't know that the request is bad. All the IPS sees is that a computer is sending an authentication request, and it's not recognized as bad until it hits the DC. The DC recognizes the request is invalid and rejects it, but I was told that IPsec could be configured to block requests that come from certain machines. My only objective with this thread is to free up one of the domain controllers so that it can run various scripts without being innundated by these requests.

          I get how stupid it is to still have these computers online, but that decision is made above my head. If it were up to me, I'd replace them all, but it's not.

          Comment


          • #6
            Re: IPsec question

            Not much you can do then if you told them the consequences of this continuing. It may come down to your public ip space getting blacklisted or your ISP stopping service all together. Hard to believe a public school district would operate like that.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: IPsec question

              Hard for me to believe to. And that's exactly why we have our ASA functioning backwards, so we don't get blacklisted. Gotta keep all that bad traffic in-house!

              Only thing the public school system sees is cost. They have no idea how to run a technology department, and thanks to the spinelessness of my boss, they aren't being told by us, either. So, I'm stuck looking for outlandish work-arounds, such as using IPsec to block Windows 2000 machines from reaching certain domain controllers. We've probably spent more on work-arounds the last couple years than we would have if we'd been able to replace all these computers.

              Comment


              • #8
                Re: IPsec question

                I presume you have covered your posterior and put all your concerns in writing?

                It would be awful if your older machines were to suffer an unfortunate accident -- I'm sure replacement parts must be a bit difficult to get if, say, a capacitor on the MoBo was to just fall off
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: IPsec question

                  May be a bit late here, but wouldn't the IPSec issue also cause more performance issues on the network? The only thing you really use IPSec for is to hide the contents of the network packets as they transit the wire. The problem is, the encrypt/decrypt has to take place at both ends, so both source & destination machines would slow down.

                  If memory serves, Windows 2000 doesn't speak IPSec, which may be why it was suggested. If those hosts can't follow the IPSec policy req't enforced at the DC, they can't talk to it.

                  Assuming there's at least one switch/router between the Win2000 hosts and the DC in question, wouldn't it be easier to simply assign all the hosts to a single subnet/VLAN with manual addressing, and put an ACL on a switch/router port which blocks that subnet from talking to the DC? Since upgrades and best practice don't seem to apply here, at least this wouldn't cost any extra money, just some time to implement.
                  *RicklesP*
                  MSCA (2003/XP), Security+, CCNA

                  ** Remember: credit where credit is due, and reputation points as appropriate **

                  Comment


                  • #10
                    Re: IPsec question

                    Yes make sure you have something in writing to cover yourself.
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: IPsec question

                      Well, we have at least a couple thousand Windows 2000 PCs (we have about 12,000 workstations total) at numerous locations, scattered randomly throughout the buildings. Each location has a different subnet, which is further chopped up using VLANs. So, using subnets to isolate the Windows 2000 PCs isn't really feasible, but I appreciate the advice.

                      Comment

                      Working...
                      X