Re: Risks associated to branch office IPSec devices

• Previous message: Leandro Reox: "RE: how to exploit SQL INJECTION?"
• In reply to: Rodrigo Blanco: "Risks associated to branch office IPSec devices"
• Next in thread: Chris Byrd: "Re: Risks associated to branch office IPSec devices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 21 Jun 2005 18:20:55 -0700
To: Rodrigo Blanco <rodrigo.blanco.r@gmail.com>

Hey

Most VPN appliances have what are called selectors. I belive per RFC
are bypass, encrypt or drop. If the traffic matches the selector then
just like a firewall rule it will do what ever the selector specifys.
If the IPSec gateway default is to bypass all non-encrypted traffic that
would be bad. Personally if the VPN device is locked down properly and
has anti spoofing code implemented and only allows udp 500 and AH or ESP
I really see no need for a firewall as long as default behavior for
non-ecrypted traffic is drop. As for the NAT portion are you talking
about NAT before IPSec or are talking about VPN GW just NAT'ing out
bound traffic that matches no encrypt selector?

Matt Bellizzi
Nokia Enterprise Systems
SQA Engineer IP VPN Group

ext Rodrigo Blanco wrote:

>Hello list,
>
>I have just come across a doubt about branch office VPN devices.
>Normally, they are used so that a branch office's network - typically
>with a private addressing scheme - can securely connect to the
>headquarters' central network.
>
>Such VPN devices normally do not include a firewall, so I was
>wondering if this really represents a risk:
>
>Yes - it is a risk if the VPN device just acts as a router (no ACLs)
>and is attached to the Internet.
>No - because the addressing scheme behind it is private, hence
>non-routable, hence unreachable across the Internet (internet routers
>would drop packets with such destinations?)
>
>The only real risk I see is if the VPN device is cracked, and from
>there the security of the whole network (both brach office and
>headquarters) is exposed. Am I right?
>
>Any ideas would be more than welcome. Thanks in advance for your
>advice and best regards,
>
>Rodrigo.
>
>
>

• Previous message: Leandro Reox: "RE: how to exploit SQL INJECTION?"
• In reply to: Rodrigo Blanco: "Risks associated to branch office IPSec devices"
• Next in thread: Chris Byrd: "Re: Risks associated to branch office IPSec devices"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: HELP I am adding a third NIC and having problems ... require banks to connect via VPN to that public address for a new product to ... This is why the HW firewall, the VPN device, ... > of the Local Internal Network. ... > Microsoft Internet Security & Acceleration Server: ... (microsoft.public.isa.configuration) Secure Windows Domain auth for Cisco 2691 to Win2k or NT 4 Sever via Radius ... I have a Cisco 2691 vpn device that has 3 static vpn tunnels to some of our ... (Security-Basics) RE: VPN ... If you decide to continue troubleshoothe software VPN issue, ... >password/login failure and therefore no VPN connection available at all. ... Use ISA Server as the VPN server. ... Do not use the hardware VPN device. ... (microsoft.public.windows.server.sbs) Re: [fw-wiz] Integrated VPN/FW Paranoia ... pressure coming to use the VPN device as the firewall and the VPN. ... filter on the outermost edge, ... (Firewall-Wizards) Re: whats your security standard for VPN? ... >- Is your VPN device on, in parallel, or behind the firewall? ... (DMZ setups) ... (comp.security.firewalls)