Penetration Testing mailing list archives
RE: Risks associated to branch office IPSec devices
From: "Robert Hines" <b.hines () comcast net>
Date: Wed, 22 Jun 2005 21:00:31 -0400
True, Without a proxy (application) firewall, hopefully one that can decrypt/encrypt and do deep content inspection, you would be vulnerable. Even IPsec tunnel mode is susceptible to attack with the right tools, and a savvy attack strategy, a cracker worth their salt could crash your stack and insert their shell with the system owner none-the wiser. Bob Freelance CISSP -----Original Message----- From: Matt Bellizzi [mailto:matt.bellizzi () nokia com] Sent: Wednesday, June 22, 2005 3:05 PM To: ext Steve Goldsby (ICS) Cc: Rodrigo Blanco; pen-test () securityfocus com Subject: Re: Risks associated to branch office IPSec devices And a layer three firewall would prevent this how? Unless you have an application level firewall your still at risk here. Matt Bellizzi Nokia Enterprise Systems SQA Engineer IP VPN Group ext Steve Goldsby (ICS) wrote:
First time someone brings in an infected file or downloads something with malware on it from the internet, watch the entire VPN-connected enterprise meltdown. We saw an ENTIRE STATE network do this. Steve Goldsby, CEO Integrated Computer Solutions, Inc. -- 334.270.2892 www.integrate-u.com / www.networkarmor.com A Democracy cannot exist as a permanent form of government. It can only exist until a majority of voters discover that they can vote themselves largesse out of the public treasury. -- Alexander Tyler Scottish Historian -----Original Message----- From: Rodrigo Blanco [mailto:rodrigo.blanco.r () gmail com] Sent: Tuesday, June 21, 2005 3:01 PM To: pen-test () securityfocus com Subject: Risks associated to branch office IPSec devices Hello list, I have just come across a doubt about branch office VPN devices. Normally, they are used so that a branch office's network - typically with a private addressing scheme - can securely connect to the headquarters' central network. Such VPN devices normally do not include a firewall, so I was wondering if this really represents a risk: Yes - it is a risk if the VPN device just acts as a router (no ACLs) and is attached to the Internet. No - because the addressing scheme behind it is private, hence non-routable, hence unreachable across the Internet (internet routers would drop packets with such destinations?) The only real risk I see is if the VPN device is cracked, and from there the security of the whole network (both brach office and headquarters) is exposed. Am I right? Any ideas would be more than welcome. Thanks in advance for your advice and best regards, Rodrigo.
Current thread:
- Risks associated to branch office IPSec devices Rodrigo Blanco (Jun 21)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 21)
- Re: Risks associated to branch office IPSec devices Chris Byrd (Jun 21)
- <Possible follow-ups>
- RE: Risks associated to branch office IPSec devices Steve Goldsby (ICS) (Jun 21)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 22)
- RE: Risks associated to branch office IPSec devices Robert Hines (Jun 22)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 22)
- RE: Risks associated to branch office IPSec devices Steve Goldsby (ICS) (Jun 22)