Security Incidents mailing list archives

RE: UDP port 500 traffic from two clients

From: woods () weird com (Greg A. Woods)
Date: Tue, 29 Jan 2002 12:47:43 -0500 (EST)

[ On Tuesday, January 29, 2002 at 09:48:56 (-0000), Fernando Cardoso wrote: ]

Subject: RE: UDP port 500 traffic from two clients

Just a small note on this: you can use IPSec for remote administration of
servers with the same degree of confidence you'd use SSH. I do understand
and agree with Greg's concerns about trusting everything on the remote
network, but you're thinking of IPSec only in terms of tunelling, where you
have a couple of gateways (peers) doing encryption and decryption on behalf
of other hosts.


I thought I had explained clearly enough in my post that most
implementations of VPNs using IPSec for this purpose will be of the form
where the remote user is connecting his host to a network via a gateway.

If you use IPSec in transport mode, you'll have end-to-end
encryption between two hosts, which is equivalent to what you'd achieve with
SSH.


That implies that the remote administrator has prepared for the ability
to run IPSec on every host that might be managed from a remote location.
This is very often not true, and sometimes not even possible (such as
with a console terminal server that might be used to reboot a remote
server, etc.).

I wanted to re-iterate this fact because I also wanted to mention that
system managers should probably be using SSH (or maybe if they want and
they can, IPSec in transport mode with every managed server)
consistently even when they are working from a host directly attached to
the private network, and for the very same reasons (which primarily are
of course that with most security incidents originating as "inside
jobs", your greatest threats are probably already legitimately on your
private nework!).

-- 
                                                                Greg A. Woods

+1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

UDP port 500 traffic from two clients Chris Wilkes (Jan 28)
- Re: UDP port 500 traffic from two clients Glen Mehn (Jan 28)
- Re: UDP port 500 traffic from two clients Gary Flynn (Jan 28)
  - Re: UDP port 500 traffic from two clients Hugo van der Kooij (Jan 28)
- <Possible follow-ups>
- RE: UDP port 500 traffic from two clients McCammon, Keith (Jan 28)
- RE: UDP port 500 traffic from two clients Toni Heinonen (Jan 28)
  - RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 28)
    - RE: UDP port 500 traffic from two clients Fernando Cardoso (Jan 29)
    - RE: UDP port 500 traffic from two clients Greg A. Woods (Jan 29)