This is correct. IPSec does not prevent you from forwarding all traffic
down the tunnel and denying local access--this is a configurable option.
I think that the Nortel marketroid speak for allowing the local
network connectivity when connected to the VPN tunnel is "split
tunneling". This can (and should) be disabled if you are using a VPN over
the Internet.
With it on, you can do fun things like enumerate users/groups/shares on NT
VPN clients from across the Internet. You can map administrative shares
(like c$) across the Internet. Or, if someone has IP forwarding turned
on, they can act as a router from the Internet, down the VPN tunnel, and
into your corporate network (sing along! : "over the router and through
the VPN tunnel and into the network we go...")
-Jason
On Wed, 29 Dec 1999, Mikael Olsson wrote:
> Date: Wed, 29 Dec 1999 14:23:43 +0100
> From: Mikael Olsson <[EMAIL PROTECTED]>
> To: Merton Campbell Crockett <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: MS PPTP (Safe?) - alternative?
>
>
> Just a little .... slap on the wrist :-P
>
> Merton Campbell Crockett wrote:
> >
> > L2TP is interesting from a security perspective as it isolates the system
> > from its current network and connects it to the target network. Once the
> > connection is established to the target network, all connectivity is lost
> > to the local network, i.e. any mapped drives are unreachable as are any
> > shared devices such as printers.
> >
> > Voila! None of the back channel problems of IPsec.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> IPsec implementations do not have a back channel problems unless
> you configure them to have back channel problems.
>
> It is completely possibly to divert ALL traffic to the IPsec connection
> ("VPN tunnel"), the same way it is possible to establish a connection
> only for a single port and forward all other traffic in plain text.
> Flexibility does not automagically mean insecurity.
>
> I for one would rather be able to choose which way best fits my
> needs (and security model).
>
> Just my $.02
> /Mike
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
> Mobile: +46-(0)70-248 00 33
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
