nanog mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Operational impact of filtering SMB/NETBIOS traffic?

From: Richard Welty <rwelty () vpnet com>
Date: Sun, 19 Nov 2000 20:04:34 -0500

Ethan Butterfield [mailto:primus () veris org] wrote:

From: Jim Mercer <jim () reptiles org>

as i understand it, ipsec doesn't use ports.

 

Yes and no. IPSec uses UDP port 500 for the ISAKMP key 
exchange and the
tunnel setup, but all other traffic is IP Protocol 50 (ESP) 
or 51 (AH).
Most firewalls I've seen block wierd (i.e., just about 
everything that's
not standard TCP or IP Protocol 1 (ICMP)) by default, or at 
least flag it
as strange.


interestingly enough, ICSA firewall certification requires port 500
(ISAKMP) to be closed, so in theory, you cannot have an ICSA Firewall
that also does standards conforming IPSec.

there is a loophole, however. ICSA will let you off the hook if your
manuals explain how to turn off port 500 in your IPSec capable firewall
(or firewall capable IPSec box.)

richard
Previous By Date Next
Previous By Thread Next

Current thread: