Re: [PEN-TEST] Nortel Contivity Extranet Switches

[Derrick <Derrick () ANEI COM>]

Which Contivity switch are you looking at ?

The original product was a New Oak box (bought by Bay), which then became
the bay extranet switch (Bought by Nortel) which then became one of the
models in the nortel contivity switches. But out of the whole line I think
there are three different purchased other brands in there (if I remember
correctly). This is their mid-line box I think and we really liked it, but
haven't seen it much since about 2 years ago.

In general open udp port 500 source and dest for isakmp which is the IPSEC
setup session. The only other openings for IPSEC are to leave open ip type
(not port) 50 (Actual Tunnel) and in some configs type 51 (Authentication
Header). If you can put those 3 rules in a firewall or router in front of
the VPN server then it should be pretty safe on the public interface side.

If you are looking at the contivity 4500 then there is some certification
you can point to. That model has recently received FIPS 140-1 level 2
certification. This is a NIST level cert done for cryptographic modules. You
can see a reference to it here
http://csrc.nist.gov/cryptval/140-1/1401val2000.htm. Fips 140 is a great
standard to set as a base rule of thumb for both VPN servers and user end
dongles and smart cards. Most vendors are headed for this cert as many govt
areas require it. The different levels even cover physical security. However
so far there is a severe lack of vendors with FIPS certified client
software.

Basically this means that their cryptography modules work as expected when
used as recommended by the vendor. The number one factor I still hit on
VPN's is split-tunneling, where the user can be vpn connected and reach the
internet at the same time. This opens a huge hole if that remote user has
back-orifice or some other remote backdoor on their workstation. Most newer
VPN's are allowing admins to disable split tunnels from the VPN server as an
overall policy. The second factor is that once the tunnel is established
users can send all sorts of traffic so a seperate firewall behind the VPN
server and some level of IDS is crucial in case an account or laptop gets
hijacked.

There are also several small gotchas on IPSEC when it comes to layer 4 and
layer 7 load balancers and firewalls that do NAT. Certain types of IPSEC can
not go through NAT which makes sense when reading the protocol stnadard. So
test in your lab before getting bitten in production.

** Side note:
I have not fully researched this so test it in your lab before asking the
vendor. While setting up a contivity 4500 behind a firewall I noticed
strange traffic in our logs. For some reason the contivity was sending icmp
traffic back to the public address of the remote client and not over the
tunnel. Not sure if this was for testing the connection or other such
reason, but it is kind of pain especially since we block most icmp traffic.
I would hate to see my logs once 2000+ people are vpn connected.

Derrick

"Ogle Ron (Rennes)" wrote:

> We are testing the Nortel Contivity switch.  Nortel advertises that this
> switch is a firewall and should be placed in parallel with your other
> firewalls.  I know that you can install CheckPoint Firewall-1 on the
switch,
> but the Nortel representative says that there are problems with this type
of
> install.  I haven't been able to find any evidence that this product has
> been independently tested for security weaknesses.
>
> Does any one know of a site where I can get independent information on
this
> product or know of weaknesses?  We ran ISS 6.01 against it, and it didn't
> find any problems.  Are there any IPsec gotchas that might be exploitable
> from this implementation.  Any information would be greatly appreciated
> before we install this in parallel.
>
> Thanks in advance.
>
> Ron Ogle