Security Basics mailing list archives
Re: Outgoing IPSEC
From: Securi Net <securinet2004 () yahoo ca>
Date: Tue, 22 Nov 2005 11:29:10 -0500 (EST)
Thanks again, Jason. That clarifies it and gives me a strong case in denying such requests. Thank you everyone for your responses. Regards CP --- Jason Thompson <securitux () gmail com> wrote:
No problem. With a stateful inspection device (firewall), it does allow bidirectional traffic as long as your client initiates the VPN connection to the endpoint. Once the client connects to the endpoint it creates a connection that your firewall recognizes as 'in state' and allows traffic between the two devices. This is by design. So with a stateful inspection firewall, even though you are creating rules that say allow only outbound from client to endpoint, you are essentially saying 'only the client is allowed to initiate a connection'. Once the client creates the tunnel, bidirectional traffic is permitted so long as it obeys the rules of IP "state" (same IP addresses, connection kept alive, in the case of TCP: syn, syn/ack, ack, push, push/ack, sequence numbers, acknowledgement numbers, etc). UDP state is also kept using timeouts, since UDP is a stateless protocol. Keep in mind, the ACTUAL TCP, UDP, and IP header (of a tunnelled connection) from a client or VPN endpoint is encrypted / encapsulated with a completely different header. So an IKE UDP packet's encapsulated data from the endpoint to the client (which is in state) may be a TCP SYN (beginning of a TCP connection from the other network to the client). -J On 11/21/05, Securi Net <securinet2004 () yahoo ca> wrote:Jason, Thank you for your elaborate response to my query. Excuse my ignorance of the way IPSEC tunnels are established here, but by permitting only outgoing traffic on port 500, would I not succeed inforcing auni-directional tunnel to the externalorganization.Or is my understanding of the technology off themark.We have mulled over the option of forcing him ontoaseprate VLAN, but need a clinical argument aboutthesecuirty risks in opening up IPSEC for him. Thisisalso being backed by an acceptable use policy. Thanks again for your responses. CP --- Jason Thompson <securitux () gmail com> wrote:Here's one of the big issues which deals withtheendpoint rather than Internet threats. Once the VPN connection is established, you havenocontrol over what traffic is transmitted on the tunnelled network.Youessentially open an unchecked bidirectional link between the VPN client and the network to which he is connecting on the other end. Youareessentially relying on the other company to enforce a policyonthat contractor, which is a nauseating thought. Also in the caseofa split tunnel, that contractor's PC could be used by someone or something in the other organization as a jumping point into your network. Further to that, since the traffic is encrypted, you do not have the ability to monitor what the contractor is doing. This individual could be doing anything from browsing questionable sitesthroughcompany X's network to receiving the worm-du-jour. Single tunneldoesnothing here, because in a single tunnel situation once disconnected from company X's network, it will spread throughout yours. It's all about acceptable risk of course, and unfortunately in a lot of cases contractor access to VPN is arequirement,so do what you can to lock it down. First off put the contractor onadifferent VLAN than other users and do not allow access to yourinternalresources; the VLAN should route right to your firewall. Ifs/heneeds access to internal resources, then s/he does it with oneofyour company's PC's. Also, make the contractor and the otherorganizationsign an acceptable use policy as well as a policyspecifyingthat 'due care' will be taken while operating inside the network(AValways on, desktop firewall, regular AV scans and updates, etc). That way if they introduce something nasty into your environmentandthey didn't exercise due care, they can be held liable. Butmostimportantly, the policy shows the other organization that youtakeinformation security seriously and you have your eye on them. If s/he needs access just to get e-mail, the consulting company should be putting up an OWA server with two factorauth...if they don't have one already. Some companies require it as theydon'tallow VPN out at all. -J On 11/18/05, Securi Net <securinet2004 () yahoo ca> wrote:Hello List members, I have a question on risks associated withallowingoutgoing IPSEC traffic on a firewall. I have a contractor who works onsite withinournetwork and needs outgoing port 500 opened onourfirewall for him to vpn into his companynetwork.I would like to know about the risks involvedinfacilitating such access outside, as I haveheardsometalk about security issues around splittunnelling. Asfar as I can understand it, the only threat toournetwork from the outside would be if someoneontheoutside tries to spoof a session inside usinganexisting outward connection. Can anyone shed some light on what I shud beconcernedabout here. CP
=== message truncated === __________________________________________________________ Find your next car at http://autos.yahoo.ca
Current thread:
- Outgoing IPSEC Securi Net (Nov 21)
- Wireless N Stephen Alford (Nov 21)
- Re: Wireless N Paul Cychosz (Nov 22)
- RE: Wireless N Stephen Alford (Nov 22)
- Re: Wireless N Paul Cychosz (Nov 22)
- Re: Outgoing IPSEC Jason Thompson (Nov 22)
- Re: Outgoing IPSEC Securi Net (Nov 22)
- Re: Outgoing IPSEC Jason Thompson (Nov 22)
- Re: Outgoing IPSEC Securi Net (Nov 22)
- Re: Outgoing IPSEC Securi Net (Nov 22)
- Wireless N Stephen Alford (Nov 21)
- Re: Outgoing IPSEC Gaddis, Jeremy L. (Nov 22)