Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about L2F tunnels

From: Aaron Turner <aturner () vicinity com>
Date: Thu, 20 Apr 2000 13:39:01 -0700 (PDT)

I had a co-worker that once worked at a high-tech company here in the
Silicon Valley (gee, that narrows it a bit now don't it).  He got a call
from the FBI one day.  Turns out someone had broken into a POP for an X.25
dialup and installed a sniffer.  Apparently this setup had sniffed tens of
thousands of username/passwords from hundreds of high-tech companies.  
The agent suggested that my co-worker force everyone change their
passwords ASAP.

Also what prevents someone from accidentially miss-configuring your
"tunnel" so that the packets go to the wrong place?  Oh, let me guess- all
their employees are super-humans who make no mistakes. :)  I've seen this
happen once with MCI and a frame-relay connection of mine.  I have no idea
if it's exploitable, but it doesn't give me the warm fuzzies.

I just had a discussion at our monthly BAFUG meeting.  We all agreed that
while many vendors would like you to believe that a VPN does not *require*
encryption, none of us would be willing to accept the risks.  We all
wanted strong authentication (certificates or two-factor) and content
encryption.

YMMV.

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

On Wed, 19 Apr 2000, Michele M. Jordan wrote:


Okay, I had a major provider who is doing Access VPNs tell a customer this:

    It is their
    statement that encryption is not necessary since it is not leaving the <provider's>
    network.  The tunnel will provide the necessary security is their position.
    I then asked her if security wasn't necessary, then why do we need the
    tunnel?  She said to that: "well the tunnel provides the necessary security,
    so encryption isn't necessary since it is going from router to router and
    that's the only connection that is possible.

This is financial data via a dial-up to a provider pop, provider
forwards an L2F tunnel request to my customer, my customer
accepts the tunnel request, authenticates via remote Radius, and then
initiates the tunnel.  If we did do encryption, it would need to be from
the provider pop to my customer's router.

I think encryption is necessary, what do you think?

-Michele
Previous By Date Next
Previous By Thread Next

Current thread: