RE: Risks associated to branch office IPSec devices

["Steve Goldsby (ICS)" <sgoldsby () integrate-u com>]

First time someone brings in an infected file or downloads something
with malware on it from the internet, watch the entire VPN-connected
enterprise meltdown.

We saw an ENTIRE STATE network do this. 

Steve Goldsby, CEO 
Integrated Computer Solutions, Inc. -- 334.270.2892 
www.integrate-u.com /  www.networkarmor.com 
A Democracy cannot exist as a permanent form of government.  It can only
exist until a majority of voters discover that they can vote themselves
largesse out of the public treasury.   -- Alexander Tyler Scottish
Historian 
 


-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com] 
Sent: Tuesday, June 21, 2005 3:01 PM
To: pen-test () securityfocus com
Subject: Risks associated to branch office IPSec devices

Hello list,

I have just come across a doubt about branch office VPN devices.
Normally, they are used so that a branch office's network - typically
with a private addressing scheme - can securely connect to the
headquarters' central network.

Such VPN devices normally do not include a firewall, so I was wondering
if this really represents a risk:

Yes - it is a risk if the VPN device just acts as a router (no ACLs) and
is attached to the Internet.
No - because the addressing scheme behind it is private, hence
non-routable, hence unreachable across the Internet (internet routers
would drop packets with such destinations?)

The only real risk I see is if the VPN device is cracked, and from there
the security of the whole network (both brach office and
headquarters) is exposed. Am I right?

Any ideas would be more than welcome. Thanks in advance for your advice
and best regards,

Rodrigo.