Penetration Testing mailing list archives
RE: Risks associated to branch office IPSec devices
From: "Steve Goldsby (ICS)" <sgoldsby () integrate-u com>
Date: Wed, 22 Jun 2005 15:36:27 -0500
Well... Assuming you don't allow all traffic through the tunnel, a L3 firwall helps immensely to contain the threat locally. So use VPN to provide access to AD/exchange services at central site, port 80/443 to intranet portal... This is a very limited number of ports. If you just have a VPN appliance with no L3 firewall capabilities, you have one big fat open pipe across the enterprise. I agree that you are still at risk even with a L3 firewall, but not as much as having straight IPSEC tunnel. Am I missing something? Steve Goldsby -----Original Message----- From: Matt Bellizzi [mailto:matt.bellizzi () nokia com] Sent: Wednesday, June 22, 2005 2:05 PM To: Steve Goldsby (ICS) Cc: Rodrigo Blanco; pen-test () securityfocus com Subject: Re: Risks associated to branch office IPSec devices And a layer three firewall would prevent this how? Unless you have an application level firewall your still at risk here. Matt Bellizzi Nokia Enterprise Systems SQA Engineer IP VPN Group ext Steve Goldsby (ICS) wrote:
First time someone brings in an infected file or downloads something with malware on it from the internet, watch the entire VPN-connected enterprise meltdown. We saw an ENTIRE STATE network do this. Steve Goldsby, CEO Integrated Computer Solutions, Inc. -- 334.270.2892 www.integrate-u.com
/ www.networkarmor.com A Democracy cannot exist as a permanent form of
government. It can only exist until a majority of voters discover that
they can vote themselves largesse out of the public treasury. -- Alexander Tyler Scottish Historian -----Original Message----- From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com] Sent: Tuesday, June 21, 2005 3:01 PM To: pen-test () securityfocus com Subject: Risks associated to branch office IPSec devices Hello list, I have just come across a doubt about branch office VPN devices. Normally, they are used so that a branch office's network - typically with a private addressing scheme - can securely connect to the headquarters' central network. Such VPN devices normally do not include a firewall, so I was wondering
if this really represents a risk: Yes - it is a risk if the VPN device just acts as a router (no ACLs) and is attached to the Internet. No - because the addressing scheme behind it is private, hence non-routable, hence unreachable across the Internet (internet routers would drop packets with such destinations?) The only real risk I see is if the VPN device is cracked, and from there the security of the whole network (both brach office and headquarters) is exposed. Am I right? Any ideas would be more than welcome. Thanks in advance for your advice
and best regards, Rodrigo.
Current thread:
- Risks associated to branch office IPSec devices Rodrigo Blanco (Jun 21)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 21)
- Re: Risks associated to branch office IPSec devices Chris Byrd (Jun 21)
- <Possible follow-ups>
- RE: Risks associated to branch office IPSec devices Steve Goldsby (ICS) (Jun 21)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 22)
- RE: Risks associated to branch office IPSec devices Robert Hines (Jun 22)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 22)
- RE: Risks associated to branch office IPSec devices Steve Goldsby (ICS) (Jun 22)