Two addendum points: 1. A LOT of ISPs use RFC1918 address space as connector IPs on their own network. It conserves IP addresses that they can sell/lease to customers, and overall it works well. This means that if your ISP is doing this, and your VPN is on a different block, AND the ISP routers somehow became aware of the block you're routing to (bit of a stretch, I know, on that last), then you end up serving as a gateway. More likely, traffic just dead-ends in your ISP, possibly at one of their routers.
2. Lots of folks use cablemodems as their internet access. Those that do rarely think about security from their friendly neighborhood fellow cablemodem users. That would be, at minimum, 252 users who could access your system and invade the VPN Network. Including Little Jimmy, who's now 13 and thinks cracking corporate networks is way l33t. More likely, it includes everyone in your town, and all of little Jimmy's l33t friends. All because a cablemodem network is like one big LAN. I get at least 50 hits a day on Netbios ports just from people who have no clue that their computer is a sitting target, and is actively looking to compromise itself for you. That's the real threat. Granted, maybe not the entire net, but a far larger portion than you'd like to think is healthy. George Metz ----- Original Message ----- From: Eric B Kiser <[EMAIL PROTECTED]> Date: Tuesday, July 29, 2003 7:42 pm Subject: RE: [leaf-user] VPN security issue? Slightly O/T... > Alex, > > Most modern IPsec clients have better security than they used. > There was > a time that if your company was using public addresses internally > ...anda remote client had a VPN connection across the Internet > ...and said > remote client also was inadvertently configured to route traffic from > the internet across the VPN ...and someone knew enough to target you. > > It was (and still is) possible to get into the company network > that way. > I realize that the chances of this happening are extremely remote. I > have, however, witnessed this very thing while working for Ascend > communications. Thankfully FreeS/WAN is a much better product and > publicaddresses are not as commonly used internally as they once were. > > Assuming that you are using private addressing internally and assuming > that your ISP is filtering the RFC 1918 addresses, then yes the > next-hop > "should" be the extent of the threat. This threat, however, can be > mitigated by good fire-walling practices. > > Best Regards, > > Eric "In the grip of paranoia." Kiser > > > -----Original Message----- > > From: [EMAIL PROTECTED] [leaf-user- > > [EMAIL PROTECTED] On Behalf Of Lynn Avants > > Sent: Tuesday, July 29, 2003 6:38 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [leaf-user] VPN security issue? Slightly O/T... > > > > On Tuesday 29 July 2003 04:53 pm, Alex Rhomberg wrote: > > > > It's fairly straightforward. Let's say you've got a machine > on the > > > > internet with nothing between you and the 'net. You're running > with a > > > > public IP(I'm gonna use a private, so just pretend) of > 172.16.8.1on > > > > your machine, and you're connected to a VPN. Routing is also > turned on > > > > on this particular machine. > > > > > > I still don't get it: Let's say I have the setup you > described, with > > > 192.168.1.0/24 being my VPN. You're sitting on the other side > of the > > > Internet, say 10 hops away. How can you send a packet to > 192.168.1.1? Is > > > there a standard tunneling method that is always activated? > The 10 > hops > > on > > > the way would all drop a packet sent to 192.168.1.1. > > > > > > Wouldn't the cryptic commands you described only work on my next > hop, > > i.e. > > > the ISPs router? This would reduce the number of people who > can get > at > > my > > > VPN quite significantly (ISP admins instead of "whole Internet") > > > > The private addressing sent via the tunnel is encapsulated and > encrypted > > under > > the public ip address of the VPN gateway. Nothing outside of the VPN > > gateways > > (ie... internet) would have any idea that any private addressing is > > attached > > to these packets. > > > > To further the earlier question of using both VPN and internet > accessat > > the > > same time..... you can't run a VPN w/o internet access can you? :) > > In all cases, the proper routing is needed for *any* VPN to work > properly. > > Improper routing is the security risks that would be commonly found, > > though > > FreeS/WAN makes this setup extremely simple (built-in). > > -- > > ~Lynn Avants > > Linux Embedded Appliance Firewall Developer > > http://leaf.sourceforge.net > > http://guitarlynn.homelinux.org:81 > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: Free pre-built ASP.NET sites > including> Data Reports, E-commerce, Portals, and Forums are > available now. > > Download today and enter to win an XBOX or Visual Studio .NET. > > http://aspnet.click- > > url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > > > ------------------------------------------------------------------- > ----- > > leaf-user mailing list: [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/leaf-user > > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click- > url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01------------ > ------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
