Re: inter-site WAN security question



Hi Andrew, thanks for the quick reply..

So if I understand you correctly, if someone were sniffing on a
router between the two sites and the VPN was in tunnel mode then
they would not be able to see the source and destination IP's - is
that correct?

Sorry, a bit ignorant about the inner workings of IPSEC VPNs...what
about during the initial tunnel establishment - how does the vpn
server at s1 know the path to the vpn server at s2?


Thanks again...

On Wed, 04 Jul 2007 15:33:06 -0400 Andrew Harris
<andrew.f.harris@xxxxxxxxx> wrote:
The question you want answered is based on the implementation of
the VPN.
If the VPN is using IPSec's Tunnel mode, headers & the payload are
encrypted/encapsulated. If just using Transport mode, only the
payload is
encapsulated so the IP appear in plaintext. So to answer your
question, if
using Transport mode, then the hacker would be able to see the
that S1 and
S2 are in communication. In Tunnel mode, the hacker would have a
very hard
time and then the weakness of the security lies in the IPSec
encryption
itself (how long it takes to crack that...).

Hope this helps

On 7/4/07, nobledark@xxxxxxxxxxxx <nobledark@xxxxxxxxxxxx> wrote:

Hi,

1st post - I had a hypothetical question poised to me that I
could
not answer so I thought that I would ask the list. Here's the
scenario:

- Two sites, s1 and s2
- s1 and s2 have the need for a bi-directional WAN link
- The WAN link would be secured via a VPN and all traffic would
be
tunneled through the VPN
- Both sites are connected via broadband links; s1 is on a cable
modem and s2 utilizes a factional T-1.
- There are 5 hops between s1 and s2.

Given this scenario, the question was, how anonymous can the
connection be between these sites? Put a different way, assuming
that s1 and s2 are secure and not under hacker control, how much

of
a threat is there of a 3rd party monitoring the traffic stream
over
the route between the sites and discovering that they are
talking
to each other?

Thanks....

--
Discount Online Trading - Click Now!


http://tagline.hushmail.com/fc/Ioyw6h4dPYvV4GSzCfyZF7HOo0xdrbO1a8xm

8LNUn1sHPajMGphSbS/






--
Click to find great rates on home insurance, save big, shop here
http://tagline.hushmail.com/fc/Ioyw6h4d8gY2AcUnkAkpjrFJzGJZwrNPq48uSJV6u8BD7b5nGmwGoE/



Relevant Pages

  • Re: inter-site WAN security question
    ... the packets will be sent to 13 different routers before being sent to the destination. ... So if I understand you correctly, if someone were sniffing on a router between the two sites and the VPN was in tunnel mode then they would not be able to see the source and destination IP's - is that correct? ... time and then the weakness of the security lies in the IPSec encryption ...
    (Security-Basics)
  • Re: access to SBS 2003 domain shares/printers
    ... I was trying to do IPSec Tunnel mode. ... am of the understanding that if both the remote VPN gateway and the VPN ... I already am able to do PTPP inbound into my SBS, ... If it is the transport mode, ISA Server 2000 ...
    (microsoft.public.windows.server.sbs)
  • RE: inter-site WAN security question
    ... As far as the ability to sniff, all the traffic should be encrypted, not just some, so anyone performing a MIM shouldn't be able to pick out pertinent info from the stream without breaking the encryption. ... router between the two sites and the VPN was in tunnel mode then ... If the VPN is using IPSec's Tunnel mode, ... The WAN link would be secured via a VPN and all traffic would ...
    (Security-Basics)
  • RE: inter-site WAN security question
    ... They would see the IP addresses of the VPN termination points. ... If the VPN is using IPSec's Tunnel mode, ... The WAN link would be secured via a VPN and all traffic would ... connection be between these sites? ...
    (Security-Basics)
  • Re: Client sign on to AD via private WAN - Possible?
    ... I understand the VPN part - my question has to do with MS sign ons - when you ... >> We are setting up a private wan link to a remote office. ...
    (microsoft.public.win2000.ras_routing)