Penetration Testing mailing list archives
RE: Nortel Contivity 2600
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Tue, 6 Sep 2005 17:13:49 -0400
For the 'why NAT and IPSec don't play nice together' question, go check http://www.ietf.org/rfc/rfc3715.txt - and after reading that, check for IPSec NAT-T (rfc-editor being a good place to start) You mention deploying the VPN box behind an IPS device. Yes and no. What are you trying to achieve? If your IPS box is inline, and does protocol checking/normalization, that could work - the IPS would drop the malformed packets and notify the management console (possibly). But do you need/want to have that information? Before deciding where to connect the VPN device (firewall, inline IPS, nothing) we should decide what we want to achieve by doing it. And there have been some comments about the VPN box interaction with NAT. Deploying it behind a firewall != NATting - either because you configure a 1:1 translation between public IP/private IP, or you use an L2-firewall.
-----Original Message----- From: misiu [mailto:misiu_ () gmx de] Sent: Tuesday, September 06, 2005 5:14 AM To: pen-test () securityfocus com Subject: Re: Nortel Contivity 2600 Dario Ciccarone (dciccaro) schrieb:Putting the device in question behind the firewall isn'tgoing to helphim with DoS attacks - unless those attacks are due to malformed packets, _and_ the firewall in question drops the type of malformed packets that would trigger the DoS.Hmm, but if malformed packs come, is it not much better to set it behind an IPS? Firewall is not allways the right thing to protect, i guess. I don't really understand why Nat is not working.... The Adresses of the tunnel are not encrypted, do they might have a checksum wich is altered through a NAT device? Do I see this right? misiu -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Nortel Contivity 2600 Cam Fischer (Sep 02)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 03)
- Re: Nortel Contivity 2600 Samir Pawaskar (Sep 05)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 05)
- Re: Nortel Contivity 2600 Samir Pawaskar (Sep 05)
- <Possible follow-ups>
- RE: Nortel Contivity 2600 Dario Ciccarone (dciccaro) (Sep 05)
- Re: Nortel Contivity 2600 misiu (Sep 06)
- Re: Nortel Contivity 2600 Volker Tanger (Sep 06)
- RE: Nortel Contivity 2600 Dario Ciccarone (dciccaro) (Sep 07)
- RE: Nortel Contivity 2600 Kyle Starkey (Sep 08)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 11)
- RE: Nortel Contivity 2600 Kyle Starkey (Sep 08)
- Re: Nortel Contivity 2600 Rodrigo Blanco (Sep 03)