Penetration Testing mailing list archives
Re: Risks associated to branch office IPSec devices
From: Chris Byrd <cbyrd01 () gmail com>
Date: Tue, 21 Jun 2005 22:54:20 -0500
Security of this type of solution can be improved by: - Disabling split-tunnel routing. Make all traffic go through the VPN tunnel and apply the same policies that you use at the home office, and - Remove the default route from the router. If you are only communicating with a single subnet that terminates VPN, put that in the router as a static route. No reason for the router to talk to other hosts on the Internet. - Likewise, all remote management (except over the VPN tunnel) can often be disabled or limited to a particular subnet. Best of luck to you, Chris On 6/21/05, Rodrigo Blanco <rodrigo.blanco.r () gmail com> wrote:
Hello list, I have just come across a doubt about branch office VPN devices. Normally, they are used so that a branch office's network - typically with a private addressing scheme - can securely connect to the headquarters' central network. Such VPN devices normally do not include a firewall, so I was wondering if this really represents a risk: Yes - it is a risk if the VPN device just acts as a router (no ACLs) and is attached to the Internet. No - because the addressing scheme behind it is private, hence non-routable, hence unreachable across the Internet (internet routers would drop packets with such destinations?) The only real risk I see is if the VPN device is cracked, and from there the security of the whole network (both brach office and headquarters) is exposed. Am I right? Any ideas would be more than welcome. Thanks in advance for your advice and best regards, Rodrigo.
Current thread:
- Risks associated to branch office IPSec devices Rodrigo Blanco (Jun 21)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 21)
- Re: Risks associated to branch office IPSec devices Chris Byrd (Jun 21)
- <Possible follow-ups>
- RE: Risks associated to branch office IPSec devices Steve Goldsby (ICS) (Jun 21)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 22)
- RE: Risks associated to branch office IPSec devices Robert Hines (Jun 22)
- Re: Risks associated to branch office IPSec devices Matt Bellizzi (Jun 22)
- RE: Risks associated to branch office IPSec devices Steve Goldsby (ICS) (Jun 22)