Alex, Most modern IPsec clients have better security than they used. There was a time that if your company was using public addresses internally ...and a remote client had a VPN connection across the Internet ...and said remote client also was inadvertently configured to route traffic from the internet across the VPN ...and someone knew enough to target you.
It was (and still is) possible to get into the company network that way. I realize that the chances of this happening are extremely remote. I have, however, witnessed this very thing while working for Ascend communications. Thankfully FreeS/WAN is a much better product and public addresses are not as commonly used internally as they once were. Assuming that you are using private addressing internally and assuming that your ISP is filtering the RFC 1918 addresses, then yes the next-hop "should" be the extent of the threat. This threat, however, can be mitigated by good fire-walling practices. Best Regards, Eric "In the grip of paranoia." Kiser > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:leaf-user- > [EMAIL PROTECTED] On Behalf Of Lynn Avants > Sent: Tuesday, July 29, 2003 6:38 PM > To: [EMAIL PROTECTED] > Subject: Re: [leaf-user] VPN security issue? Slightly O/T... > > On Tuesday 29 July 2003 04:53 pm, Alex Rhomberg wrote: > > > It's fairly straightforward. Let's say you've got a machine on the > > > internet with nothing between you and the 'net. You're running with a > > > public IP(I'm gonna use a private, so just pretend) of 172.16.8.1 on > > > your machine, and you're connected to a VPN. Routing is also turned on > > > on this particular machine. > > > > I still don't get it: Let's say I have the setup you described, with > > 192.168.1.0/24 being my VPN. You're sitting on the other side of the > > Internet, say 10 hops away. How can you send a packet to 192.168.1.1? Is > > there a standard tunneling method that is always activated? The 10 hops > on > > the way would all drop a packet sent to 192.168.1.1. > > > > Wouldn't the cryptic commands you described only work on my next hop, > i.e. > > the ISPs router? This would reduce the number of people who can get at > my > > VPN quite significantly (ISP admins instead of "whole Internet") > > The private addressing sent via the tunnel is encapsulated and encrypted > under > the public ip address of the VPN gateway. Nothing outside of the VPN > gateways > (ie... internet) would have any idea that any private addressing is > attached > to these packets. > > To further the earlier question of using both VPN and internet access at > the > same time..... you can't run a VPN w/o internet access can you? :) > In all cases, the proper routing is needed for *any* VPN to work properly. > Improper routing is the security risks that would be commonly found, > though > FreeS/WAN makes this setup extremely simple (built-in). > -- > ~Lynn Avants > Linux Embedded Appliance Firewall Developer > http://leaf.sourceforge.net > http://guitarlynn.homelinux.org:81 > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click- > url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
