Re: inter-site WAN security question



If you have network A and network B connected to each other via a VPN link (say, via a router at each network), where hosts on network A can talk to hosts on network B over the VPN tunnel, then someone sniffing the traffic in between can tell that router A and router B are talking, but can't tell which host from network A is talking to which host on network B, or what they're saying.

~Dathan

nobledark@xxxxxxxxxxxx wrote:
Hi Andrew, thanks for the quick reply..

So if I understand you correctly, if someone were sniffing on a router between the two sites and the VPN was in tunnel mode then they would not be able to see the source and destination IP's - is that correct?

Sorry, a bit ignorant about the inner workings of IPSEC VPNs...what about during the initial tunnel establishment - how does the vpn server at s1 know the path to the vpn server at s2?


Thanks again...

On Wed, 04 Jul 2007 15:33:06 -0400 Andrew Harris <andrew.f.harris@xxxxxxxxx> wrote:
The question you want answered is based on the implementation of the VPN.
If the VPN is using IPSec's Tunnel mode, headers & the payload are
encrypted/encapsulated. If just using Transport mode, only the payload is
encapsulated so the IP appear in plaintext. So to answer your question, if
using Transport mode, then the hacker would be able to see the that S1 and
S2 are in communication. In Tunnel mode, the hacker would have a very hard
time and then the weakness of the security lies in the IPSec encryption
itself (how long it takes to crack that...).

Hope this helps

On 7/4/07, nobledark@xxxxxxxxxxxx <nobledark@xxxxxxxxxxxx> wrote:
Hi,

1st post - I had a hypothetical question poised to me that I
could
not answer so I thought that I would ask the list. Here's the
scenario:

- Two sites, s1 and s2
- s1 and s2 have the need for a bi-directional WAN link
- The WAN link would be secured via a VPN and all traffic would
be
tunneled through the VPN
- Both sites are connected via broadband links; s1 is on a cable
modem and s2 utilizes a factional T-1.
- There are 5 hops between s1 and s2.

Given this scenario, the question was, how anonymous can the
connection be between these sites? Put a different way, assuming
that s1 and s2 are secure and not under hacker control, how much

of
a threat is there of a 3rd party monitoring the traffic stream
over
the route between the sites and discovering that they are
talking
to each other?

Thanks....

--
Discount Online Trading - Click Now!


http://tagline.hushmail.com/fc/Ioyw6h4dPYvV4GSzCfyZF7HOo0xdrbO1a8xm

8LNUn1sHPajMGphSbS/




--
Click to find great rates on home insurance, save big, shop here
http://tagline.hushmail.com/fc/Ioyw6h4d8gY2AcUnkAkpjrFJzGJZwrNPq48uSJV6u8BD7b5nGmwGoE/



Relevant Pages

  • Re: Windows XP Networking Question (with Linksys Home VPN Router)
    ... You bought one router. ... to share this router in a wireless network? ... you don't need to be thinking of VPN - you can be all on the same ... and the other's set up 'outgoing connections' to connect to it. ...
    (microsoft.public.isa.vpn)
  • VPN Suddenly Stopped Working
    ... I support a small nonprofit with a small network. ... computer running Win XP, which uses Windows Firewall; ... They don't use VPN ... LinkSys are a LinkSys VoIP router and a NetGear 8 port Ethernet switch. ...
    (microsoft.public.windows.server.networking)
  • Re: VPN Question
    ... the laptop I'm using as the VPN client is sitting ... internal router and DHCP is handled by the SBS server. ... The SBS network is domain B. ...
    (microsoft.public.windows.server.sbs)
  • Re: NAT friendly VPN
    ... So the plan is to deploy a wireless router running ... Linux to be the VPN endpoint. ... and that's behind the telco's network NAT. ... I can then SSH into the wireless router over the VPN and do ...
    (uk.telecom.broadband)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)