From: Rodrigo Blanco (rodrigo.blanco.r@gmail.com)
Date: Thu Sep 08 2005 - 14:00:11 EDT
I would still put the outside interface of the VPN device behind an in-line IPS
box, otherwise you could still be vulnerable to DoS attacks (IKE
flooding...) against the VPN device itself.
However I completely agree to keep things as simple as possible.
Regards,
Rodrigo.
On 9/8/05, Kyle Starkey <kstarkey@siegeworks.com> wrote:
> So I understand the concerns and I think the best way to do this for both
> simplicity and security is a combination of things that have been suggested.
>
> 1) Put the outside interface of the 2600 on border net (outside the FW) and
> pin up some ACL's on the border router as Dario has suggested. This will
> keep all but encrytion traffic getting to your VPN device.
>
> 2) Put the inside interface in a DMZ of its own with an IPS device between
> the inside vpn int and the DMZ interface. This will allow you to monitor
> and shutdown traffic based on sig's in the IPS, but will also allow you to
> rate limit traffic from the VPN and create ACL's for new worm traffic before
> your IPS vendor gets around to creating a sig for it.
>
> 3) Limit traffic on the DMZ interface from the VPN source IP only to items
> that are absolutely necessary. If possible segment different types of users
> into different source IP space so that the ACL's on the DMZ FW can be group
> specific (ie general users get access to the mail server and file share,
> where as security and networking teams aditionally have SSH access to a hop
> point in the network, HR has access to their DB, sales has access to the
> CRM, etc)
>
> Trust me... After implementing dozens of different VPN solutions over the
> years you are better off to NOT complicate the IPSEC connection by trying to
> put NAT on both the client and server end of the tunnel... You will end up
> tearing your hair out trying to make sure that the vendors have implemented
> the proper RFC's to make sure that is supported... And don't even get me
> started on NAT-T...
>
> -Kyle
>
> -----Original Message-----
> From: Dario Ciccarone (dciccaro) [mailto:dciccaro@cisco.com]
> Sent: Tuesday, September 06, 2005 3:14 PM
> To: misiu; pen-test@securityfocus.com
> Subject: RE: Nortel Contivity 2600
>
>
> For the 'why NAT and IPSec don't play nice together' question, go check
> http://www.ietf.org/rfc/rfc3715.txt - and after reading that, check for
> IPSec NAT-T (rfc-editor being a good place to start)
>
> You mention deploying the VPN box behind an IPS device. Yes and no. What
> are you trying to achieve? If your IPS box is inline, and does protocol
> checking/normalization, that could work - the IPS would drop the
> malformed packets and notify the management console (possibly). But do
> you need/want to have that information?
>
> Before deciding where to connect the VPN device (firewall, inline IPS,
> nothing) we should decide what we want to achieve by doing it.
>
> And there have been some comments about the VPN box interaction with
> NAT. Deploying it behind a firewall != NATting - either because you
> configure a 1:1 translation between public IP/private IP, or you use an
> L2-firewall.
>
>
>
> > -----Original Message-----
> > From: misiu [mailto:misiu_@gmx.de]
> > Sent: Tuesday, September 06, 2005 5:14 AM
> > To: pen-test@securityfocus.com
> > Subject: Re: Nortel Contivity 2600
> >
> > Dario Ciccarone (dciccaro) schrieb:
> > > Putting the device in question behind the firewall isn't
> > going to help
> > > him with DoS attacks - unless those attacks are due to malformed
> > > packets, _and_ the firewall in question drops the type of malformed
> > > packets that would trigger the DoS.
> > >
> >
> > Hmm, but if malformed packs come, is it not much better to
> > set it behind
> > an IPS? Firewall is not allways the right thing to protect, i guess.
> > I don't really understand why Nat is not working....
> > The Adresses of the tunnel are not encrypted, do they might have a
> > checksum wich is altered through a NAT device?
> >
> > Do I see this right?
> >
> > misiu
> >
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking
> > applications on your
> > website. Up to 75% of cyber attacks are launched on shopping
> > carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL and
> > locked-down servers are
> > futile against web application hacking. Check your website
> > for vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks
> > before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> >
>
> ----------------------------------------------------------------------------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers
> do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------------
> ---
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:51 EDT