RE: UDP port 500 traffic from two clients

[woods () weird com (Greg A. Woods)]

[ On Monday, January 28, 2002 at 23:33:27 (+0200), Toni Heinonen wrote: ]
> Subject: RE: UDP port 500 traffic from two clients
>
> In 99 % of these cases there is absolutely nothing malicious about the
> traffic.

Very true.

> You know, IPSec isn't used only for VPN? As a matter of fact,
> you can (as many people have done) configure your Windows 2000 to
> encrypt ABSOLUTELY ALL traffic.

But that's not quite true -- or rather it's a bit off kilter, at least
the way I read it.  As I'mm sure you know a "VPN" is a "virtual private
network", i.e. a network on top of another network through which all
data transmitted in it will be kept private (usually by encrypting it
and by ensuring it's safe from tampering).  IPSec is simply one
standardised (and thus interoperable) way of implementing virtual
private networks.  (IPSec doesn't have to implement the "private" part
though -- it can also implement a secure virtual network which does not
encrypt the data.)

SSH plus some IP tunnelling protocol can also implement a VPN.  SSH
alone can simulate a VPN by tunnelling individual TCP connections too.

I.e. IPSec _is_ only used to implement secure virtual networks (private
or otherwise), but it's not the only way to implement such things.

> So, IPSec could be used as a
> substitute for SSH, TLS or other encryption mechanisms. IPSec is
> better than the previous in the fact that it can be used to protect
> ANY kind of IP-traffic.

That's not necessarily true either.  All IPSec, or any VPN for that
matter, can do is protect your data as it travels over a real (and
possibly pulic) network.  It does nothing to protect your computer and
local applications, or to protect the network it is connected to or the
computers and applications on that remote network, except of course
w.r.t. threats from the real network you're using to interconnect over.
Only a host-to-host VPN can protect your data from end-to-end.  Normally
though an IPSec VPN will only be implemented between a host workstation
and a remote network gateway.

SSH and TLS/SSL and so on normally protect traffic end-to-end (i.e. from
the client host to the server host) over any network, virtual, private,
or otherwise, and thus can still be very useful even over a VPN
implemented using IPsec.  Whether you also need SSH and/or TLS/SSL,
etc., depends on how much you trust the network your VPN is connected
to.  Of course the hosts on the network your VPN connects to must still
trust your host(s), even if you also use SSH and/or TLS/SSL, etc.

For example when doing remote administration of servers on some remote
network you should always use SSH, even if you also have a VPN to
connect your local workstation (and/or local network) to the remote
network.  You should not trust everyone and everything on the remote
network between its gateway and the remote server(s) you're
administering.  If you don't always use SSH any passwords you type to
them may be seen by a sniffer on the remote network.  The same risks
apply to using any remote application where you don't want sensitive
data to be seen or interfered with as it traverses the remote network.

-- 
                                                                Greg A. Woods

+1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com