RE: UDP port 500 traffic from two clients

From: Greg A. Woods (woods@weird.com)
Date: 01/29/02


From: woods@weird.com (Greg A. Woods)
To: "Fernando Cardoso" <fernando.cardoso@whatevernet.com>
Date: Tue, 29 Jan 2002 12:47:43 -0500 (EST)


[ On Tuesday, January 29, 2002 at 09:48:56 (-0000), Fernando Cardoso wrote: ]
> Subject: RE: UDP port 500 traffic from two clients
>
> Just a small note on this: you can use IPSec for remote administration of
> servers with the same degree of confidence you'd use SSH. I do understand
> and agree with Greg's concerns about trusting everything on the remote
> network, but you're thinking of IPSec only in terms of tunelling, where you
> have a couple of gateways (peers) doing encryption and decryption on behalf
> of other hosts.

I thought I had explained clearly enough in my post that most
implementations of VPNs using IPSec for this purpose will be of the form
where the remote user is connecting his host to a network via a gateway.

> If you use IPSec in transport mode, you'll have end-to-end
> encryption between two hosts, which is equivalent to what you'd achieve with
> SSH.

That implies that the remote administrator has prepared for the ability
to run IPSec on every host that might be managed from a remote location.
This is very often not true, and sometimes not even possible (such as
with a console terminal server that might be used to reboot a remote
server, etc.).

I wanted to re-iterate this fact because I also wanted to mention that
system managers should probably be using SSH (or maybe if they want and
they can, IPSec in transport mode with every managed server)
consistently even when they are working from a host directly attached to
the private network, and for the very same reasons (which primarily are
of course that with most security incidents originating as "inside
jobs", your greatest threats are probably already legitimately on your
private nework!).

-- 
								Greg A. Woods

+1 416 218-0098; <gwoods@acm.org>; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • [fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3
    ... Hardware has been Cisco 837-K9 routers at the remote sites and depending ... Assuming that the FC3 box is up-to-date what is the best way to configure ... Googling for "IPSEC Linux HOWTO" results in conflicting and confusing ... access-list 101 permit ahp host 193.82.1.2 host 82.1.2.3 ...
    (Firewall-Wizards)
  • Remote Access on IAS using Windows 2003 with IPSEC
    ... Presently I am using Connection Manager with using PPTP protocol it is ... working and there is site to site VPN using IPSEC protocol and Remote ... LAN network [Microsoft IAS-RADIUS configured and IPSEC policy in AD ... Note Site to Site VPN using IPSEC is working but Remote VPN client using ...
    (microsoft.public.win2000.ras_routing)
  • RE: [fw-wiz] Cisco PIX DHCP relay via IPSEC
    ... Not sure why you don't do DHCP from the remote end unless you don't control ... the DHCP broadcast needs to get tunneled over IPSEC with GRE ... I would try to do it on the remote end. ... The remote PIX could be configured to be a DHCP server ...
    (Firewall-Wizards)
  • VPN connection problems
    ... I'm trying to setup a vpn connection so I can access my computer ... I have IPsec, pptp, and l2tp passthrough enabled with port 1723 being ... ps ipsec services and remote access services are enabled and started. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Cache coherency issues using AllocateCommonBuffer(..)
    ... we did put a scope on the remote system looked at the TLPs coming ... and so it seems like we are stuck with AllocateCommonBuffer. ... standard non-common buffer based DMA APIs. ... How soon do you read from the host memory after you believe the DMA ...
    (microsoft.public.development.device.drivers)