Not to be picky, but AH doesn't support NAT/PAT so a FW can pass it, but it doesn't do much good if NAT/PAT is taking place.
Thanks Larry -----Original Message----- From: nrf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Security advice - opening ports other than 80 and [7:42333] ""Don Nguyen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Its generally a good idea only to open ports that necesarry (eg. 80 > for http, 21 for ftp, etc..). Opening up unnecesarry ports and/or > running unnecesarry services just opens your server up to security vulnerabilities. > In your case I don't really understand what you're trying to do. For > a web > server using SSL you only have to allow inbound traffic to port 443, > you don't need port 80 open unless it also serves up unencrypted > pages. If you > want/need to use IPSEC you will need to allow inbound traffic on the > UDP port 500 and allow IP protocols 50 and 51(not ports 50 and 51). Or generally just protocol 50. Because after all, how many people really use AH? Even the standards bodies are thinking of dropping AH because it really doesn't do very much - ESP can also do authentication, and while AH does also does authentication of parts of the packet header, is that really worth the overhead of creating another 2 SA's? > > HTH, > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42375&t=42333 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
