Penetration Testing mailing list archives
Re: Nortel Contivity 2600
From: Volker Tanger <vtlists () wyae de>
Date: Mon, 5 Sep 2005 23:27:46 +0200
Greetings! On Sun, 04 Sep 2005 14:39:44 +0400 Samir Pawaskar <samirp () eim ae> wrote:
I am facing a similar position, however my vendor insists that Nortel VPN has to be in Internet .. It cannot use natted IP..
Well, the Contivity can work in NATted configuration - like all other IPSec-encapsulating devices, too. But usually this will work with tunnel mode only - NAT is inherently incompatible with IPSec transport mode. And of course it will work with *out*going connections only. So for the scenario given (*in*coming office and road warrior access) this is not a good idea.
By the way, bear in mind Contivity also has a firewall module that can run on its same platform, this could be very reccomendable if you are to place it directly on the Internet.
"Standard" is a only a stateless packet filter. But the add-on firewall license is a stateful packet filter, not too shabby. Big plus is that you can define individual FW rules for (within) each tunnel - especially to restrict access by contractors and third party support personel.
On 9/1/05, Cam Fischer <camfischer () gmail com> wrote:I am looking for good reasons why I should move a Nortel Contivity 2600 VPN device behind a firewall. Currently the device sits on the internet, and is used for VPN traffic from other offices, and also for VPN dial-in users.
As above: if you are talking about a NAT-Masquerading firewall, that is nonsense - see the answer at the top. As for a routing non-NATting firewall: with this you can define QoS so your internet line won't be congested by VPN only, or mail only. DoS can be limited/mitigated with such a construction, too. Here an example ASCII art of a possible configuration: www | | QoS-FW | | DMZ with official, registered IP addresses +------------+------------+------------+-------WWW-Server | | | | | | | | Contivity Mail/AV-Gate AV-Proxy other-FW | | | | | | | | +------------+------------+------------+ LAN LAN LAN Of course the QoS-FW can be replaced by an appropriate router. And as the Contivity 2600 alone is on the beefier side make sure your QoS-FW will not be a bottleneck. It should have a good reporting and QoS tuning interface as that will be its main task. All the application layer / deep inspection / anti-virus / IDS stuff does not matter here - that's a task for all the second-line systems: AV-Mailgates, the "internal" application firewall ("other-FW"), etc. Such a pre-sorter only and foremost needs robustness (with respect to IP packet hell) and speed. Then speed and robustness. Or reliability. Throughput and stress-resistance are the next features, followed by robustness. All that while reliably sorting packet streams according to some type of traffic shaping. Next objectives are QoS rule handling and traffic flow analysis (ammount measurement, not packet reassembly). After that nothing for a long time. Then robustness, speed and handling... (ad infimum). Forget about all the other fancy stuff - on that front you need a simple-minded brunt. The fine-sorting will (and can be) done whenever the front QoS-FW does its job. You don't need a QoS-thingie as your VPN-line is dedicated to VPN only? Well, then you won't need a pre-sorting, don't you? ;-) Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Nortel Contivity 2600 Cam Fischer (Sep 02)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 03)
- Re: Nortel Contivity 2600 Samir Pawaskar (Sep 05)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 05)
- Re: Nortel Contivity 2600 Samir Pawaskar (Sep 05)
- <Possible follow-ups>
- RE: Nortel Contivity 2600 Dario Ciccarone (dciccaro) (Sep 05)
- Re: Nortel Contivity 2600 misiu (Sep 06)
- Re: Nortel Contivity 2600 Volker Tanger (Sep 06)
- RE: Nortel Contivity 2600 Dario Ciccarone (dciccaro) (Sep 07)
- RE: Nortel Contivity 2600 Kyle Starkey (Sep 08)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 11)
- RE: Nortel Contivity 2600 Kyle Starkey (Sep 08)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 03)