Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Nortel Contivity 2600
From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com>
Date: Tue, 6 Sep 2005 17:13:49 -0400

For the 'why NAT and IPSec don't play nice together' question, go check
http://www.ietf.org/rfc/rfc3715.txt - and after reading that, check for
IPSec NAT-T (rfc-editor being a good place to start)

You mention deploying the VPN box behind an IPS device. Yes and no. What
are you trying to achieve? If your IPS box is inline, and does protocol
checking/normalization, that could work - the IPS would drop the
malformed packets and notify the management console (possibly). But do
you need/want to have that information? 

Before deciding where to connect the VPN device (firewall, inline IPS,
nothing) we should decide what we want to achieve by doing it.

And there have been some comments about the VPN box interaction with
NAT. Deploying it behind a firewall != NATting - either because you
configure a 1:1 translation between public IP/private IP, or you use an
L2-firewall.



-----Original Message-----
From: misiu [mailto:misiu_ () gmx de] 
Sent: Tuesday, September 06, 2005 5:14 AM
To: pen-test () securityfocus com
Subject: Re: Nortel Contivity 2600

Dario Ciccarone (dciccaro) schrieb:
Putting the device in question behind the firewall isn't 
going to help
him with DoS attacks - unless those attacks are due to malformed
packets, _and_ the firewall in question drops the type of malformed
packets that would trigger the DoS.


Hmm, but if malformed packs come, is it not much better to 
set it behind 
  an IPS? Firewall is not allways the right thing to protect, i guess.
I don't really understand why Nat is not working....
The Adresses of the tunnel are not encrypted, do they might have a 
checksum wich is altered through a NAT device?

Do I see this right?

misiu

--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking 
applications on your 
website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are 
futile against web application hacking. Check your website 
for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks 
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault