RE: Risks associated to branch office IPSec devices

• Previous message: Pablo Fernández: "Re: how to exploit SQL INJECTION?"
• Maybe in reply to: Rodrigo Blanco: "Risks associated to branch office IPSec devices"
• Next in thread: Matt Bellizzi: "Re: Risks associated to branch office IPSec devices"
• Reply: Matt Bellizzi: "Re: Risks associated to branch office IPSec devices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 21 Jun 2005 20:05:10 -0500
To: "Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>, <pen-test@securityfocus.com>

First time someone brings in an infected file or downloads something
with malware on it from the internet, watch the entire VPN-connected
enterprise meltdown.

We saw an ENTIRE STATE network do this.

Steve Goldsby, CEO
Integrated Computer Solutions, Inc. -- 334.270.2892
www.integrate-u.com / www.networkarmor.com
A Democracy cannot exist as a permanent form of government. It can only
exist until a majority of voters discover that they can vote themselves
largesse out of the public treasury. -- Alexander Tyler Scottish
Historian
 

-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Tuesday, June 21, 2005 3:01 PM
To: pen-test@securityfocus.com
Subject: Risks associated to branch office IPSec devices

Hello list,

I have just come across a doubt about branch office VPN devices.
Normally, they are used so that a branch office's network - typically
with a private addressing scheme - can securely connect to the
headquarters' central network.

Such VPN devices normally do not include a firewall, so I was wondering
if this really represents a risk:

Yes - it is a risk if the VPN device just acts as a router (no ACLs) and
is attached to the Internet.
No - because the addressing scheme behind it is private, hence
non-routable, hence unreachable across the Internet (internet routers
would drop packets with such destinations?)

The only real risk I see is if the VPN device is cracked, and from there
the security of the whole network (both brach office and
headquarters) is exposed. Am I right?

Any ideas would be more than welcome. Thanks in advance for your advice
and best regards,

Rodrigo.

• Previous message: Pablo Fernández: "Re: how to exploit SQL INJECTION?"
• Maybe in reply to: Rodrigo Blanco: "Risks associated to branch office IPSec devices"
• Next in thread: Matt Bellizzi: "Re: Risks associated to branch office IPSec devices"
• Reply: Matt Bellizzi: "Re: Risks associated to branch office IPSec devices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Security Risk? ... You're allowing him physical access to your lan...what do you think the risk ... Put a multiport router in front of you internet connection...connect him/her ... > network domain will he pose a security risk to our network if he were to ... (microsoft.public.windows.server.sbs) Re: Risks associated to branch office IPSec devices ... application level firewall your still at risk here. ... >We saw an ENTIRE STATE network do this. ... >I have just come across a doubt about branch office VPN devices. ... (Pen-Test) Re: TCP/IP and Viruses ... > i don't understand how a pc can be at risk if it can't connect to ... - if the internet can ... By hopefully not connecting to an unprotected network without first ... related configuration changes part of your baseline install. ... (microsoft.public.windows.server.general) Re: Allow second Internet connection into Office Space? ... > testing area so they can simulate end user experience across the Internet. ... and sits between the DSL and the rest of your network. ... with the DSL line, thus putting a limited part of your network "at risk". ... (Security-Basics) drone armies C&C report - July/2005 ... 3356 LEVEL3 Level 3 Communications ... 3491 BTN-ASN - Beyond The Network A ... 3801 MISNET - Mikrotec Internet Ser ... 15857 DIALOG-AS DIALOG-NET Autonomuo ... (Bugtraq)