Re: Risks associated to branch office IPSec devices

[Matt Bellizzi <matt.bellizzi () nokia com>]

Hey  

Most VPN appliances have what are called selectors.  I belive per RFC 
are bypass, encrypt or drop.  If the traffic matches the selector then 
just like a firewall rule it will do what ever the selector specifys.  
If the IPSec gateway default is to bypass all non-encrypted traffic that 
would be bad.  Personally if the VPN device is locked down properly and 
has anti spoofing code implemented and only allows udp 500 and AH or ESP 
I really see no need for a firewall as long as default behavior for 
non-ecrypted traffic is drop.  As  for the NAT portion are you talking 
about NAT before IPSec or are talking about VPN GW just NAT'ing out 
bound traffic that matches no encrypt selector?


Matt Bellizzi
Nokia Enterprise Systems
SQA Engineer IP VPN Group


ext Rodrigo Blanco wrote:

> Hello list,
>
> I have just come across a doubt about branch office VPN devices.
> Normally, they are used so that a branch office's network - typically
> with a private addressing scheme - can securely connect to the
> headquarters' central network.
>
> Such VPN devices normally do not include a firewall, so I was
> wondering if this really represents a risk:
>
> Yes - it is a risk if the VPN device just acts as a router (no ACLs)
> and is attached to the Internet.
> No - because the addressing scheme behind it is private, hence
> non-routable, hence unreachable across the Internet (internet routers
> would drop packets with such destinations?)
>
> The only real risk I see is if the VPN device is cracked, and from
> there the security of the whole network (both brach office and
> headquarters) is exposed. Am I right?
>
> Any ideas would be more than welcome. Thanks in advance for your
> advice and best regards,
>
> Rodrigo.
>
>