RE: Nortel Contivity 2600

From: Kyle Starkey (kstarkey_at_siegeworks.com)
Date: 09/08/05

  • Next message: Brant Hale: "RE: pdas for testing (What about palm devices like the treo?)" 
    Date: Thu, 08 Sep 2005 09:41:29 -0600
To: 'misiu' <misiu_@gmx.de>, pen-test@securityfocus.com

    So I understand the concerns and I think the best way to do this for both
    simplicity and security is a combination of things that have been suggested.

    1) Put the outside interface of the 2600 on border net (outside the FW) and
    pin up some ACL's on the border router as Dario has suggested. This will
    keep all but encrytion traffic getting to your VPN device.

    2) Put the inside interface in a DMZ of its own with an IPS device between
    the inside vpn int and the DMZ interface. This will allow you to monitor
    and shutdown traffic based on sig's in the IPS, but will also allow you to
    rate limit traffic from the VPN and create ACL's for new worm traffic before
    your IPS vendor gets around to creating a sig for it.

    3) Limit traffic on the DMZ interface from the VPN source IP only to items
    that are absolutely necessary. If possible segment different types of users
    into different source IP space so that the ACL's on the DMZ FW can be group
    specific (ie general users get access to the mail server and file share,
    where as security and networking teams aditionally have SSH access to a hop
    point in the network, HR has access to their DB, sales has access to the
    CRM, etc)

    Trust me... After implementing dozens of different VPN solutions over the
    years you are better off to NOT complicate the IPSEC connection by trying to
    put NAT on both the client and server end of the tunnel... You will end up
    tearing your hair out trying to make sure that the vendors have implemented
    the proper RFC's to make sure that is supported... And don't even get me
    started on NAT-T...

    -Kyle

    -----Original Message-----
    From: Dario Ciccarone (dciccaro) [mailto:dciccaro@cisco.com]
    Sent: Tuesday, September 06, 2005 3:14 PM
    To: misiu; pen-test@securityfocus.com
    Subject: RE: Nortel Contivity 2600

    For the 'why NAT and IPSec don't play nice together' question, go check
    http://www.ietf.org/rfc/rfc3715.txt - and after reading that, check for
    IPSec NAT-T (rfc-editor being a good place to start)

    You mention deploying the VPN box behind an IPS device. Yes and no. What
    are you trying to achieve? If your IPS box is inline, and does protocol
    checking/normalization, that could work - the IPS would drop the
    malformed packets and notify the management console (possibly). But do
    you need/want to have that information?

    Before deciding where to connect the VPN device (firewall, inline IPS,
    nothing) we should decide what we want to achieve by doing it.

    And there have been some comments about the VPN box interaction with
    NAT. Deploying it behind a firewall != NATting - either because you
    configure a 1:1 translation between public IP/private IP, or you use an
    L2-firewall.

    > -----Original Message-----
    > From: misiu [mailto:misiu_@gmx.de]
    > Sent: Tuesday, September 06, 2005 5:14 AM
    > To: pen-test@securityfocus.com
    > Subject: Re: Nortel Contivity 2600
    >
    > Dario Ciccarone (dciccaro) schrieb:
    > > Putting the device in question behind the firewall isn't
    > going to help
    > > him with DoS attacks - unless those attacks are due to malformed
    > > packets, _and_ the firewall in question drops the type of malformed
    > > packets that would trigger the DoS.
    > >
    >
    > Hmm, but if malformed packs come, is it not much better to
    > set it behind
    > an IPS? Firewall is not allways the right thing to protect, i guess.
    > I don't really understand why Nat is not working....
    > The Adresses of the tunnel are not encrypted, do they might have a
    > checksum wich is altered through a NAT device?
    >
    > Do I see this right?
    >
    > misiu
    >
    > --------------------------------------------------------------
    > ----------------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    >
    > Hackers are concentrating their efforts on attacking
    > applications on your
    > website. Up to 75% of cyber attacks are launched on shopping
    > carts, forms,
    > login pages, dynamic content etc. Firewalls, SSL and
    > locked-down servers are
    > futile against web application hacking. Check your website
    > for vulnerabilities
    > to SQL injection, Cross site scripting and other web attacks
    > before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > --------------------------------------------------------------
    > -----------------
    >

    ---------------------------------------------------------------------------- 

    --
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
  • Next message: Brant Hale: "RE: pdas for testing (What about palm devices like the treo?)"

    Relevant Pages

    • RE: Pen-Test and Social Engineering
      ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: Pen-Test and Social Engineering
      ... "see...your network security is penetrable". ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: Cracking WEP and WPA keys
      ... SecurityFocus wi-fi security mailing list. ... >>802.11G PCMCIA card, and the Linux server was running Samba to talk to ... >>Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Windows XP SP2 and Security Tools
      ... issues that were in SP2. ... Windows XP SP2 and Security Tools ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are ...
      (Pen-Test)
    • RE: Identifying whether 2 IPs are from the same server
      ... Try to pull banners from both IPs and see if the timestamps match. ... Hackers are concentrating their efforts on attacking applications on your website. ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ... Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)