Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nortel Contivity 2600

From: Volker Tanger <vtlists () wyae de>
Date: Mon, 5 Sep 2005 23:27:46 +0200
Greetings!

On Sun, 04 Sep 2005 14:39:44 +0400
Samir Pawaskar <samirp () eim ae> wrote:


I am facing a similar position, however my vendor insists that Nortel
VPN has to be in Internet .. It cannot use natted IP..


Well, the Contivity can work in NATted configuration - like all other
IPSec-encapsulating devices, too. But usually this will work with tunnel
mode only - NAT is inherently incompatible with IPSec transport mode.
And of course it will work with *out*going connections only. So for the
scenario given (*in*coming office and road warrior access) this is not a
good idea.



By the way, bear in mind Contivity also has a firewall module that can
run on its same platform, this could be very reccomendable if you are
to place it directly on the Internet.


"Standard" is a only a stateless packet filter. But the add-on firewall
license is a stateful packet filter, not too shabby. Big plus is that
you can define individual FW rules for (within) each tunnel - especially
to restrict access by contractors and third party support personel.



On 9/1/05, Cam Fischer <camfischer () gmail com> wrote:


I am looking for good reasons why I should move a Nortel Contivity
2600 VPN device behind a firewall.

Currently the device sits on the internet, and is used for VPN
traffic from other offices, and also for VPN dial-in users.


As above: if you are talking about a NAT-Masquerading firewall, that is
nonsense - see the answer at the top. 

As for a routing non-NATting firewall: with this you can define QoS so
your internet line won't be congested by VPN only, or mail only. DoS can
be limited/mitigated with such a construction, too. Here an example
ASCII art of a possible configuration:


  www
   |
   |
QoS-FW
   |
   | DMZ with official, registered IP addresses
   +------------+------------+------------+-------WWW-Server
   |            |            |            |
   |            |            |            |
Contivity    Mail/AV-Gate  AV-Proxy     other-FW
   |            |            |            |
   |            |            |            |
   +------------+------------+------------+
         LAN         LAN          LAN


Of course the QoS-FW can be replaced by an appropriate router. And as
the Contivity 2600 alone is on the beefier side make sure your QoS-FW
will not be a bottleneck. It should have a good reporting and QoS tuning
interface as that will be its main task. All the application layer /
deep inspection / anti-virus / IDS stuff does not matter here - that's a
task for all the second-line systems: AV-Mailgates, the "internal"
application firewall ("other-FW"), etc. Such a pre-sorter only and
foremost needs robustness (with respect to IP packet hell) and speed.
Then speed and robustness. Or reliability. Throughput and
stress-resistance are the next features, followed by robustness. All
that while reliably sorting packet streams according to some type of
traffic shaping. Next objectives are QoS rule handling and traffic flow
analysis (ammount measurement, not packet reassembly). After that
nothing for a long time. Then robustness, speed and handling...  
(ad infimum).

Forget about all the other fancy stuff - on that front you need a
simple-minded brunt. The fine-sorting will (and can be) done whenever
the front QoS-FW does its job. 


You don't need a QoS-thingie as your VPN-line is dedicated to VPN only?
Well, then you won't need a pre-sorting, don't you?
;-)


Bye

Volker


-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists () wyae de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: