Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Pass-through VPN

Re: Pass-through VPN

From: Patrick M. Hausen <hausen_at_punkt.de>
Date: Mon, 25 Oct 2004 22:53:03 +0200 (CEST)

Hello!

> > Inbound traffic normally requires an access-list or conduit statement to
> > allow it to pass.
> >
> > But by using the sysopt connection permit-ipsec command, the inbound
> > ipsec traffic bypasses all access-lists and counduits.
> >
> > Since you can't block inbound traffic on the internal interface as you
> > can with a cisco router, the traffic cannot be filtered at this point.
> >
> > To lock this traffic down, use ACLs without using the sysopt command.

> What would those ACLs look like? Allow udp ports 500 and 4500?

No, no no ... :-)

The point of the "sysopt connection permit-ipsec" command is to
pass all traffic that is _in_ the VPN tunnel unchecked by ACLs.
The externally visible ESP packets are of course always accepted.
Same for IKE and everything else that is necessary for a succesfull
IPSec connection.

If the sysopt command is active, after establishing a VPN tunnel
by e.g. an external software client, this client can tunnel
_arbitrary_ IP traffic to the internal LAN. Browse the network
neighborhood in a windows environment etc. pp.

There may be scenarios when you don't want that. I have one client
that wants to give external users access to a cluster of Citrix
terminal servers, but nothing else. So this customer has the
"sysopt ... permit-ipsec" disabled.
Now the IPSec tunnel is still established without any additional
rules, the PIX does IKE just the same way, ... only _after_ the
tunnel is established the client can't pass traffic through
it. Unless you create additional access rules that state e.g.

Permit External/VPN-Client -> Internal/Citrix-Cluster TCP/ICA

Disabling the sysopt command gives you a finer control of what is
allowed _through_ IPSec connections, not control of the connections
themselves.

Hope that helps,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit 

-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Oct 26 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos