Re: Outgoing IPSEC

From: Jason Thompson (securitux_at_gmail.com)
Date: 11/22/05

  • Next message: Saqib Ali: "Web based utility for securely changing AD password" 
    Date: Tue, 22 Nov 2005 10:26:42 -0500
To: Securi Net <securinet2004@yahoo.ca>

    No problem.

    With a stateful inspection device (firewall), it does allow
    bidirectional traffic as long as your client initiates the VPN
    connection to the endpoint. Once the client connects to the endpoint
    it creates a connection that your firewall recognizes as 'in state'
    and allows traffic between the two devices. This is by design. So with
    a stateful inspection firewall, even though you are creating rules
    that say allow only outbound from client to endpoint, you are
    essentially saying 'only the client is allowed to initiate a
    connection'. Once the client creates the tunnel, bidirectional traffic
    is permitted so long as it obeys the rules of IP "state" (same IP
    addresses, connection kept alive, in the case of TCP: syn, syn/ack,
    ack, push, push/ack, sequence numbers, acknowledgement numbers, etc).
    UDP state is also kept using timeouts, since UDP is a stateless
    protocol.

    Keep in mind, the ACTUAL TCP, UDP, and IP header (of a tunnelled
    connection) from a client or VPN endpoint is encrypted / encapsulated
    with a completely different header. So an IKE UDP packet's
    encapsulated data from the endpoint to the client (which is in state)
    may be a TCP SYN (beginning of a TCP connection from the other network
    to the client).

    -J

    On 11/21/05, Securi Net <securinet2004@yahoo.ca> wrote:
    >
    > Jason,
    >
    > Thank you for your elaborate response to my query.
    >
    > Excuse my ignorance of the way IPSEC tunnels are
    > established here, but by permitting only outgoing
    > traffic on port 500, would I not succeed in forcing a
    > uni-directional tunnel to the external organization.
    > Or is my understanding of the technology off the mark.
    >
    > We have mulled over the option of forcing him onto a
    > seprate VLAN, but need a clinical argument about the
    > secuirty risks in opening up IPSEC for him. This is
    > also being backed by an acceptable use policy.
    >
    > Thanks again for your responses.
    >
    > CP
    >
    > --- Jason Thompson <securitux@gmail.com> wrote:
    >
    > > Here's one of the big issues which deals with the
    > > endpoint rather than
    > > Internet threats.
    > >
    > > Once the VPN connection is established, you have no
    > > control over what
    > > traffic is transmitted on the tunnelled network. You
    > > essentially open
    > > an unchecked bidirectional link between the VPN
    > > client and the network
    > > to which he is connecting on the other end. You are
    > > essentially
    > > relying on the other company to enforce a policy on
    > > that contractor,
    > > which is a nauseating thought. Also in the case of
    > > a split tunnel,
    > > that contractor's PC could be used by someone or
    > > something in the
    > > other organization as a jumping point into your
    > > network. Further to
    > > that, since the traffic is encrypted, you do not
    > > have the ability to
    > > monitor what the contractor is doing. This
    > > individual could be doing
    > > anything from browsing questionable sites through
    > > company X's network
    > > to receiving the worm-du-jour. Single tunnel does
    > > nothing here,
    > > because in a single tunnel situation once
    > > disconnected from company
    > > X's network, it will spread throughout yours.
    > >
    > > It's all about acceptable risk of course, and
    > > unfortunately in a lot
    > > of cases contractor access to VPN is a requirement,
    > > so do what you can
    > > to lock it down. First off put the contractor on a
    > > different VLAN than
    > > other users and do not allow access to your internal
    > > resources; the
    > > VLAN should route right to your firewall. If s/he
    > > needs access to
    > > internal resources, then s/he does it with one of
    > > your company's PC's.
    > > Also, make the contractor and the other organization
    > > sign an
    > > acceptable use policy as well as a policy specifying
    > > that 'due care'
    > > will be taken while operating inside the network (AV
    > > always on,
    > > desktop firewall, regular AV scans and updates,
    > > etc). That way if they
    > > introduce something nasty into your environment and
    > > they didn't
    > > exercise due care, they can be held liable. But most
    > > importantly, the
    > > policy shows the other organization that you take
    > > information security
    > > seriously and you have your eye on them.
    > >
    > > If s/he needs access just to get e-mail, the
    > > consulting company should
    > > be putting up an OWA server with two factor auth...
    > > if they don't have
    > > one already. Some companies require it as they don't
    > > allow VPN out at
    > > all.
    > >
    > > -J
    > >
    > > On 11/18/05, Securi Net <securinet2004@yahoo.ca>
    > > wrote:
    > > > Hello List members,
    > > >
    > > > I have a question on risks associated with
    > > allowing
    > > > outgoing IPSEC traffic on a firewall.
    > > >
    > > > I have a contractor who works onsite within our
    > > > network and needs outgoing port 500 opened on our
    > > > firewall for him to vpn into his company network.
    > > >
    > > > I would like to know about the risks involved in
    > > > facilitating such access outside, as I have heard
    > > some
    > > > talk about security issues around split
    > > tunnelling. As
    > > > far as I can understand it, the only threat to our
    > > > network from the outside would be if someone on
    > > the
    > > > outside tries to spoof a session inside using an
    > > > existing outward connection.
    > > >
    > > > Can anyone shed some light on what I shud be
    > > concerned
    > > > about here.
    > > >
    > > > CP
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > > >
    > >
    > __________________________________________________________
    > > > Find your next car at http://autos.yahoo.ca
    > > >
    > >
    >
    >
    >
    >
    >
    >
    >
    > __________________________________________________________
    > Find your next car at http://autos.yahoo.ca
    >

  • Next message: Saqib Ali: "Web based utility for securely changing AD password"

    Relevant Pages

    • RE: VPN connection
      ... I understand that when you try to establish a VPN ... connection from a remote client, the connection terminated in the process ... Please temporarily place a client directly connected to the external NIC ... of the SBS Server. ...
      (microsoft.public.windows.server.sbs)
    • RE: Problems with connectcomputer and active directory
      ... I understand that you would like to join a remote client to the domain. ... If you have hardware VPN tunnel setup using Linksys or others, ... In this scenario you have to configure the SBS Server computer to enable ... Create a VPN connection to ISA/RRAS on the Internet ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN timeouts
      ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN issues on SBS2003 with ISA 2004 installed
      ... Based on our work above, it seems the problem in client side, so I suggest ... and then click the Network and Dial-up ... Right-click the VPN connection that you want to change, ...
      (microsoft.public.windows.server.sbs)
    • RE: VPN fail to connect
      ... How do you configure the VPN connection? ... Please logon to an internal client computer, ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)