From: Matt Bellizzi (matt.bellizzi@nokia.com)
Date: Tue Jun 21 2005 - 21:20:55 EDT
Hey
Most VPN appliances have what are called selectors. I belive per RFC
are bypass, encrypt or drop. If the traffic matches the selector then
just like a firewall rule it will do what ever the selector specifys.
If the IPSec gateway default is to bypass all non-encrypted traffic that
would be bad. Personally if the VPN device is locked down properly and
has anti spoofing code implemented and only allows udp 500 and AH or ESP
I really see no need for a firewall as long as default behavior for
non-ecrypted traffic is drop. As for the NAT portion are you talking
about NAT before IPSec or are talking about VPN GW just NAT'ing out
bound traffic that matches no encrypt selector?
Matt Bellizzi
Nokia Enterprise Systems
SQA Engineer IP VPN Group
ext Rodrigo Blanco wrote:
>Hello list,
>
>I have just come across a doubt about branch office VPN devices.
>Normally, they are used so that a branch office's network - typically
>with a private addressing scheme - can securely connect to the
>headquarters' central network.
>
>Such VPN devices normally do not include a firewall, so I was
>wondering if this really represents a risk:
>
>Yes - it is a risk if the VPN device just acts as a router (no ACLs)
>and is attached to the Internet.
>No - because the addressing scheme behind it is private, hence
>non-routable, hence unreachable across the Internet (internet routers
>would drop packets with such destinations?)
>
>The only real risk I see is if the VPN device is cracked, and from
>there the security of the whole network (both brach office and
>headquarters) is exposed. Am I right?
>
>Any ideas would be more than welcome. Thanks in advance for your
>advice and best regards,
>
>Rodrigo.
>
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:27 EDT