Re: Nmap not play nice w/ Cisco VPN

[Daniel Roethlisberger <daniel () roe ch>]

Andreas Ericsson <ae () op5 se> 2006-09-28:
> Wagner, Chris (GEAE, CBTS) wrote:
> > It's Cisco VPN client 4.7.00.0533.  I think it's a purely client side
> > problem since I can ping, ssh, etc to the host and nmap eventually works
> > with the -e eth1 -P0 options.  So however Cisco is building the virutal
> > interface on my PC, it's something that nmap can't understand properly. 
> > It should be directly sending the probes through eth0 AFAIK.
>
> No, it shouldn't. Cisco VPN on Linux requires a kernel-module, since the 
> server-side that you're connecting to can choose to disable network 
> traffic from and to the connecting end on *all other* interfaces. This 
> is a security measure to prevent lazy admins from setting up a VPN 
> machine as a router to a network which isn't supposed to be routed. Iow, 
> it's a Good Thing.

I think calling it a Good Thing is stretching it a little.  It's client
side security, and as such insecure by definition, and it gets in the
way very quickly if you're not just the click and point type of user.
However, I agree that it can improve security for/with ordinary users.
Preventing them to surf the web directly while remotely accessing an
Intranet might make sense.

Personally, I suggest using vpnc instead, at least if you authenticate
IKE phase 1 with PSK.

-- 
Daniel Roethlisberger <daniel () roe ch>

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org