Hello everyone,

I have a rather simple question that I have not been able to find an answer to and hopefully someone here has more experience and knowledge in the area then myself. My question is what are best practices with firewalls when dealing with IPsec network traffic? Are organizations suppose to allow or deny ESP traffic? I would assume deny but I have not been able to find anything clearly stating that and I am wondering if most companies/people even think about this.

Thanks in advance,

Joe

Depends on the needs of your environment. IPsec uses ESP, so it would make sense to allow ESP traffic.

I thought IPSec needed both ESP and AH in order for it to work correctly.

@JockVSJock, to my knowledge it does. I've never denied ESP, nor am I about to test it.

ESP and AH are two entirely different protocols.

Most (just about all, really) IPsec connections use Encapsulating Security Payload, which means IP data packets are encrypted and then encapsulated inside ESP packets. ESP is used for both tunneling and host-to-host transport connections.

Authentication Header is a rare beast, as it doesn't encrypt anything, but instead just signs the data packets and place the data and the corresponding signature inside an AH packet. AH doesn't offer confidentiality, but does ensure integrity since no third party can modify the packets without invalidating the signature.

ESP is IP protocol 50, while AH is IP protocol 51. Blocking both these will not necessarily prevent IPsec connections, as most IPsec-capable systems support NAT Traversal (NAT-T), which encapsulate ESP packets inside UDP packets, using port 4500 by default. Today, most ESP connections end up using UDP encapsulation, since that's the only way IPsec can work in scenarios involving NAT.

In addition, IPsec connections are usually negotiated using the IKE/ISAKMP protocol, which has been assigned UDP port 500. Manual keying without ISAKMP is possible, but cumbersome and less secure, and therefore highly uncommon.

Regarding the original question about how firewall admins should deal with IPsec traffic, that's a bit difficult to answer without any context:

• If you need to allow IPsec tunnels, you'd usually open UDP ports 500 and 4500 as well as allowing IP protocol 50. The latter is often necessary even if NAT-T is used, since some IPsec implementations will only switch to NAT-T after "regular" ESP has been tried and rejected.
• If you want to prevent IPsec from working, blocking the aforementioned ports and protocols will usually do the trick. However, a user controlling both endpoints could easily change the port numbers.
• If the idea is to block any kind of tunneling, you're in for a rough ride. IPsec is only one of many tunneling protocols, and others include HTTP, SSTP (which looks exactly like HTTPS, right down to the TCP port number), DNS and even ICMP (ping). Sure, you can block all these, but then no-one will be able to access the Internet at all.

Personally, in "implicit deny" scenarios, I will not allow IPsec-related protocols and ports unless there's an explicitly stated request, approved by management.

But I know that if some user behind the firewall is hellbent on establishing a tunnel to a host outside the network, s/he is probably going to succeed. A clear, written corporate policy, IDS/monitoring, and audits are needed to detect and deal with unauthorized and/or malicious network activity.

2 members found this post helpful.