RE: Nortel Contivity 2600

From: Dario Ciccarone (dciccaro) (dciccaro_at_cisco.com)
Date: 09/06/05

  • Next message: Omar A. Herrera: "RE: superscan on win2k vs winxp"
    Date: Tue, 6 Sep 2005 17:13:49 -0400
    To: "misiu" <misiu_@gmx.de>, <pen-test@securityfocus.com>
    
    

    For the 'why NAT and IPSec don't play nice together' question, go check
    http://www.ietf.org/rfc/rfc3715.txt - and after reading that, check for
    IPSec NAT-T (rfc-editor being a good place to start)

    You mention deploying the VPN box behind an IPS device. Yes and no. What
    are you trying to achieve? If your IPS box is inline, and does protocol
    checking/normalization, that could work - the IPS would drop the
    malformed packets and notify the management console (possibly). But do
    you need/want to have that information?

    Before deciding where to connect the VPN device (firewall, inline IPS,
    nothing) we should decide what we want to achieve by doing it.

    And there have been some comments about the VPN box interaction with
    NAT. Deploying it behind a firewall != NATting - either because you
    configure a 1:1 translation between public IP/private IP, or you use an
    L2-firewall.

    > -----Original Message-----
    > From: misiu [mailto:misiu_@gmx.de]
    > Sent: Tuesday, September 06, 2005 5:14 AM
    > To: pen-test@securityfocus.com
    > Subject: Re: Nortel Contivity 2600
    >
    > Dario Ciccarone (dciccaro) schrieb:
    > > Putting the device in question behind the firewall isn't
    > going to help
    > > him with DoS attacks - unless those attacks are due to malformed
    > > packets, _and_ the firewall in question drops the type of malformed
    > > packets that would trigger the DoS.
    > >
    >
    > Hmm, but if malformed packs come, is it not much better to
    > set it behind
    > an IPS? Firewall is not allways the right thing to protect, i guess.
    > I don't really understand why Nat is not working....
    > The Adresses of the tunnel are not encrypted, do they might have a
    > checksum wich is altered through a NAT device?
    >
    > Do I see this right?
    >
    > misiu
    >
    > --------------------------------------------------------------
    > ----------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking
    > applications on your
    > website. Up to 75% of cyber attacks are launched on shopping
    > carts, forms,
    > login pages, dynamic content etc. Firewalls, SSL and
    > locked-down servers are
    > futile against web application hacking. Check your website
    > for vulnerabilities
    > to SQL injection, Cross site scripting and other web attacks
    > before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > --------------------------------------------------------------
    > -----------------
    >

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: Omar A. Herrera: "RE: superscan on win2k vs winxp"

    Relevant Pages

    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
      (Pen-Test)
    • RE: Hacking to Xp box
      ... and an admin with knowledge of their environment would be able ... I think there was a misunderstanding in the firewall point: ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... Raw sockets, MS05-019 and Windows Firewall -- Summary ... If>there is a firewall in place,>which attacks are possible through a network? ... >>-->>Audit your website security with Acunetix Web Vulnerability Scanner:>>Hackers are concentrating their efforts on attacking applications on your>website. ...
      (Pen-Test)