""Roberts, Larry"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Not to be picky, but AH doesn't support NAT/PAT so a FW can pass it, but it > doesn't do much good if NAT/PAT is taking place.
Ah yes - that's right, forgot about that. Hence, even less reason to do AH. > > > Thanks > > Larry > > -----Original Message----- > From: nrf [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, April 23, 2002 1:57 PM > To: [EMAIL PROTECTED] > Subject: Re: Security advice - opening ports other than 80 and [7:42333] > > > ""Don Nguyen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Its generally a good idea only to open ports that necesarry (eg. 80 > > for http, 21 for ftp, etc..). Opening up unnecesarry ports and/or > > running unnecesarry services just opens your server up to security > vulnerabilities. > > In your case I don't really understand what you're trying to do. For > > a > web > > server using SSL you only have to allow inbound traffic to port 443, > > you don't need port 80 open unless it also serves up unencrypted > > pages. If > you > > want/need to use IPSEC you will need to allow inbound traffic on the > > UDP port 500 and allow IP protocols 50 and 51(not ports 50 and 51). > > Or generally just protocol 50. Because after all, how many people really > use AH? Even the standards bodies are thinking of dropping AH because it > really doesn't do very much - ESP can also do authentication, and while AH > does also does authentication of parts of the packet header, is that really > worth the overhead of creating another 2 SA's? > > > > > HTH, > > > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42388&t=42333 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]