North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Operational impact of filtering SMB/NETBIOS traffic?

  • From: Richard Welty
  • Date: Sun Nov 19 20:09:04 2000

Ethan Butterfield [mailto:[email protected]] wrote:
> From: Jim Mercer <[email protected]>
> > as i understand it, ipsec doesn't use ports.
> Yes and no. IPSec uses UDP port 500 for the ISAKMP key 
> exchange and the
> tunnel setup, but all other traffic is IP Protocol 50 (ESP) 
> or 51 (AH).
> Most firewalls I've seen block wierd (i.e., just about 
> everything that's
> not standard TCP or IP Protocol 1 (ICMP)) by default, or at 
> least flag it
> as strange.

interestingly enough, ICSA firewall certification requires port 500
(ISAKMP) to be closed, so in theory, you cannot have an ICSA Firewall
that also does standards conforming IPSec.

there is a loophole, however. ICSA will let you off the hook if your
manuals explain how to turn off port 500 in your IPSec capable firewall
(or firewall capable IPSec box.)