From chost at LANL.GOV  Mon Jul  3 10:52:15 2000
From: chost at LANL.GOV (Cheryl Host)
Date: Mon, 3 Jul 2000 08:52:15 -0600
Subject: SHIVA ??
References: <20000630053849.20150.qmail@web6003.mail.yahoo.com>
Message-ID: <002701bfe4fe$4723fc30$1672a580@lanl.gov>

We have been using Shiva (now Intel) LanRover for about 1.5 years.  The
product is fairly stable, not too much effort to support.  Our main problem
is that we were promised MAC and Linux support from the begining. (Told it
was just a couple of months away.)  Now it is no longer even a "glimmer" in
a developers eye.

----- Original Message -----
From: "Paco Law" <openhk at YAHOO.COM>
To: <VPN at SECURITYFOCUS.COM>
Sent: Thursday, June 29, 2000 11:38 PM
Subject: SHIVA ??


> I'm looking for a VPN solution.
> Is anyone using SHIVA VPN products?
> Any comments?
>
> How about RADGUARD?
> It's very simple to setup...
>
> Thanks!
>
> Regards,
> Ray
>
> __________________________________________________
> Do You Yahoo!?
> Get Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM



From mhark at INSYNC.NET  Tue Jul  4 00:48:13 2000
From: mhark at INSYNC.NET (Matthew Harkrider)
Date: Mon, 3 Jul 2000 23:48:13 -0500
Subject: PIX 515R upgrade
Message-ID: <00a101bfe573$0fa0cf20$2ca50940@insync.net>

Anyone have any information about the 3rd interface upgrade on the PIX 515R?
What card is needed, software activation, etc? Any info. would be greatly
appreciated.

Regards,
Matthew

VPN is sponsored by SecurityFocus.COM



From Eivind at NA.DK  Mon Jul  3 05:41:30 2000
From: Eivind at NA.DK (Eivind Andreassen)
Date: Mon, 3 Jul 2000 11:41:30 +0200
Subject: Cisco VPN client & 2600 router
Message-ID: <8A92977BCA07D411B6B300062905572D021C@SERVER>

We have set up a Cisco 2600 router with VPN software (IPSec) installed, and
are using it with Cisco's own VPN client v1.1
This works fine in Windows 9x/NT.
The problem is, some of our remote users use Windows 2000 PC's or
Macintoshes, and Cisco's client software does not work with these OS'es yet.

Is there any software available for Win2000/Mac that will function with the
Cisco router? I know there is some built in VPN support in Windows 2000 but
I have been unable to find any good resources on setting it up to work with
this router.

Thanks on behalf.

Eivind Andreassen <eivind at na.dk>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000703/b796235b/attachment.htm 

From girish.aras at HPSBLR.SOFT.NET  Mon Jul  3 06:52:36 2000
From: girish.aras at HPSBLR.SOFT.NET (Girish M Aras)
Date: Mon, 3 Jul 2000 15:52:36 +0500
Subject: VPN Client Does not work behind the firewall
Message-ID: <D1AF0D5A2EB1D311816E00805FC7FA9E90C010@mailhost.hpsblr.soft.net>

Hi all,

We are using  IntraPort VPN client from compatible systems to connect to our
remote site .
It works well without the firewall , but not  behind the firewall (
Checkpoint Firewall-1).
NAT ( Network Address Table) is done in the firewall. We are able to
authenticate to the remote server even behind the firewall but cannot browse
the files ,
Any solutions ?

Regards
Girish

VPN is sponsored by SecurityFocus.COM



From Noah_Salzman at NAI.COM  Mon Jul  3 22:37:43 2000
From: Noah_Salzman at NAI.COM (Salzman, Noah)
Date: Mon, 3 Jul 2000 19:37:43 -0700
Subject: Cisco VPN client & 2600 router
Message-ID: <0DA2A15FEE96D31187AA009027AA6A720135FAF5@ca-exchange1.nai.com>

Eivind,

PGP 6.5.x includes an IPsec client that runs on Mac OS as well as Win 95b,
98, and NT.

PGP 7 will run on all of the above plus Win 2000. This product is in beta
right now and will be released sometime in the near future. (Sorry, I can't
be more specific.)

  Noah Salzman
    PGP Security, Inc.
    408.346.5186


-----Original Message-----
From: Eivind Andreassen [mailto:Eivind at NA.DK]
Sent: Monday, July 03, 2000 2:42 AM
To: VPN at SECURITYFOCUS.COM
Subject: Cisco VPN client & 2600 router


We have set up a Cisco 2600 router with VPN software (IPSec) installed, and
are using it with Cisco's own VPN client v1.1
This works fine in Windows 9x/NT.
The problem is, some of our remote users use Windows 2000 PC's or
Macintoshes, and Cisco's client software does not work with these OS'es yet.

Is there any software available for Win2000/Mac that will function with the
Cisco router? I know there is some built in VPN support in Windows 2000 but
I have been unable to find any good resources on setting it up to work with
this router.
Thanks on behalf.
Eivind Andreassen <eivind at na.dk>

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Tue Jul  4 02:19:20 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Tue, 4 Jul 2000 08:19:20 +0200
Subject: VPN Client Does not work behind the firewall
In-Reply-To: <D1AF0D5A2EB1D311816E00805FC7FA9E90C010@mailhost.hpsblr.sof t.net>
Message-ID: <4.2.0.58.20000704081658.009cb220@brussels.cisco.com>

Usually, firewall and/or NAT devices are breaking the IPSec tunnel.

Hence, the reason for Intraport client and concentrator to have
a specific NAT mode. Actually, it is encapsulation of all IPSec packets
into a TCP port 80 packet to allow NAT transparency.

I'm not really sure whether the pseudo TCP connection is complete
enough with all the flags to ensure a firewall traversal

Anyway, you should give it a try.

Hope this helps

-eric

At 15:52 03/07/2000 +0500, Girish M Aras wrote:
>Hi all,
>
>We are using  IntraPort VPN client from compatible systems to connect to our
>remote site .
>It works well without the firewall , but not  behind the firewall (
>Checkpoint Firewall-1).
>NAT ( Network Address Table) is done in the firewall. We are able to
>authenticate to the remote server even behind the firewall but cannot browse
>the files ,
>Any solutions ?
>
>Regards
>Girish
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From stuart at ZEN.CO.UK  Tue Jul  4 10:06:40 2000
From: stuart at ZEN.CO.UK (Stuart Birchall)
Date: Tue, 4 Jul 2000 15:06:40 +0100
Subject: VPN Client Does not work behind the firewall
References: <D1AF0D5A2EB1D311816E00805FC7FA9E90C010@mailhost.hpsblr.soft.net>
Message-ID: <00dd01bfe5c1$13820480$190917d4@zen.co.uk>

NAT is incompatible with Authentication Header protocol, whether used in
transport or tunnel mode. An IPsec VPN using AH protocol digitally signs the
outbound packet, both data payload and headers, with a hash value appended
to the packet. When using AH protocol, packet contents (the data payload)
are not encrypted.

Why this bothers NAT is the last part: a NAT device in between the IPsec
endpoints will rewrite either the source or destination address with one of
its own choosing. The VPN device at the receiving end will verify the
integrity of the incoming packet by computing its own hash value, and will
complain that the hash value appended to the received packet doesn't match.
The VPN device at the receiving end doesn't know about the NAT in the
middle, so it assumes that the data has been altered for nefarious purposes.

IPsec using Encapsulating Security Payload in tunnel mode encapsulates the
entire original packet (including headers) in a new IP packet. The new IP
packet's source address is the outbound address of the sending VPN gateway,
and its destination address is the inbound address of the VPN device at the
receiving end. When using ESP protocol with authentication, the packet
contents (in this case, the entire original packet) are encrypted. The
encrypted contents, but not the new headers, are signed with a hash value
appended to the packet.

This mode (tunnel mode ESP with authentication) is compatible with NAT,
because integrity checks are performed over the combination of the "original
header plus original payload," which is unchanged by a NAT device. Transport
mode ESP with authentication is also compatible with NAT, but is not often
used by itself. Since the hash is computed only over the original payload,
original headers may be rewriten.

In addition, NAT may interfere with IPSec (both ESP and AH) if it prevents
the two VPN gateways from successfully negotiating SAs using ISAKMP/IKE with
certificates. X.509 certificates are signed by a trusted third party (called
a Certificate Authority) in order to bind a user's or device's public key to
some other identifying public characteristic. Once common identifying
characteristic used for VPN gateway devices is external IP address.

If the two VPN gateways exchange signed certificates that bind each
gateway's identity to its IP address, NAT address rewriting will cause IKE
negotiation to fail.

(extract from a cisco fact file)

Stu


----- Original Message -----
From: "Girish M Aras" <girish.aras at HPSBLR.SOFT.NET>
To: <VPN at SECURITYFOCUS.COM>
Sent: 03 July 2000 11:52
Subject: VPN Client Does not work behind the firewall


> Hi all,
>
> We are using  IntraPort VPN client from compatible systems to connect to
our
> remote site .
> It works well without the firewall , but not  behind the firewall (
> Checkpoint Firewall-1).
> NAT ( Network Address Table) is done in the firewall. We are able to
> authenticate to the remote server even behind the firewall but cannot
browse
> the files ,
> Any solutions ?
>
> Regards
> Girish
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Mon Jul  3 21:21:52 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Mon, 3 Jul 2000 21:21:52 -0400
Subject: SHIVA ??
References: <20000630053849.20150.qmail@web6003.mail.yahoo.com>
            <002701bfe4fe$4723fc30$1672a580@lanl.gov>
Message-ID: <39613C30.FBC2B09D@storm.ca>

Cheryl Host wrote:
>
> We have been using Shiva (now Intel) LanRover for about 1.5 years.  The
> product is fairly stable, not too much effort to support.  Our main problem
> is that we were promised MAC and Linux support from the begining. (Told it
> was just a couple of months away.)  Now it is no longer even a "glimmer" in
> a developers eye.
>
The FreeS/WAN (http://www.freeswan.org) implementation of IPSEC for Linux
reportedly interoperates with Shiva's product. Details at:

http://snowcrash.tdyc.com/freeswan/

VPN is sponsored by SecurityFocus.COM



From mikael.olsson at ENTERNET.SE  Tue Jul  4 06:09:11 2000
From: mikael.olsson at ENTERNET.SE (Mikael Olsson)
Date: Tue, 4 Jul 2000 12:09:11 +0200
Subject: Host-to-host VPN/encryption
References: <Pine.GSO.4.21.0006291307170.18142-100000@mail>
            <395C856A.49FA3E13@uni-c.dk>
Message-ID: <3961B7C7.5ADCA882@enternet.se>

"Per C. H. Jacobsen" wrote:
> Tried:
> A SSH daemon on each NT listening on port 22 and a redirecting SSH command
> forwarding everything from port XXXX to port 22 and on to the other hosts port
> 22.
>
> However I would like the same simple functionality from a better tested, more
> userfriendly, slightly improved and 100% functioning piece of software.

Go to the source and get the "real", fully supported SSH client from SSH
Communications themselves: http://commerce.ssh.com/

If they don't know how to develop and test cryptography software, I don't
know who does.

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ?RNSK?LDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson at enternet.se

VPN is sponsored by SecurityFocus.COM



From jwheatley at SWCP.COM  Tue Jul  4 11:09:42 2000
From: jwheatley at SWCP.COM (John Wheatley)
Date: Tue, 4 Jul 2000 08:09:42 -0700
Subject: Vpn does not work with dsl/cable router
Message-ID: <01BFE58F.35DE2C20.jwheatley@swcp.com>

Jon, Another LinkSys question.  We are using a new BEFSR41 Router as a
NAT/PAT device for our office network.  We have an application  that uses
port 20000 and requires internet access, so I set up Port Forwarding.
 Strange thing happens- When it works, it is solid. But... sometimes the
port forwarding appears not to work and my Port 20K machine doesn't get
out.  I have tried packet capture and can see the Private address (port 20K
inside machine) trying to connect but getting no response.  Packet capture
on the Public (port 20K outside machine) shows connect attempts but no
response.  This makes me think that the BFSR41 Forwarding doesn't always
work.  Have you had any experience with Forwarding?
JohnW

-----Original Message-----
From:	Jon Carnes [SMTP:jonc at haht.com]
Sent:	Friday, June 30, 2000 3:13 PM
To:	VPN at SECURITYFOCUS.COM
Subject:	Re: Vpn does not work with dsl/cable router

Upgrade your firmware.  You probably have an older version.  We use LinkSys
routers at our trade shows and at some of our remote sites, all of them
allow PPTP (ms-vpn) through.

Jon Carnes
MIS - HAHT Software
----- Original Message -----
From: "Marlon Velasco" <velascom at mindspring.com>
To: <VPN at SECURITYFOCUS.COM>
Sent: Thursday, June 29, 2000 11:13 PM
Subject: Vpn does not work with dsl/cable router


> I recently purchased a linksys dsl\cable router to share my internet
> connection among multiple computers. Since installing this router my vpn
> client does not work anymore.  What do I need to configure in the router
to
> allow vpn access?
>
> Thanks,
> Marlon
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From jonc at HAHT.COM  Tue Jul  4 17:59:16 2000
From: jonc at HAHT.COM (Jon Carnes)
Date: Tue, 4 Jul 2000 17:59:16 -0400
Subject: Vpn does not work with dsl/cable router
References: <01BFE58F.35DE2C20.jwheatley@swcp.com>
Message-ID: <004901bfe603$2b852660$b6041918@nc.rr.com>

Alas, the Linksys router hardware was not designed for full service as a
router/switch for a Business.  It works in a pinch (and the software is
fairly solid), but you'll find that under load it will fail.  I believe that
is part of what you are seeing.

You might want to turn an old PC into a router for your office.  An old
Pentium with around 64Meg of RAM could probably handle what you are trying
to do.  You could run any of a large number of Miniature Linux distributions
that are specifically designed to do the job.  Coyote has a distribution
that you boot off a floppy and it turns your PC into a really nice
router/firewall.

In haste, and heading to a 4th of July cook-out,

Jon Carnes
MIS - HAHT Software

----- Original Message -----
From: "John Wheatley" <jwheatley at swcp.com>
To: "'Jon Carnes'" <jonc at haht.com>; <VPN at SECURITYFOCUS.COM>
Sent: Tuesday, July 04, 2000 11:09 AM
Subject: RE: Vpn does not work with dsl/cable router


> Jon, Another LinkSys question.  We are using a new BEFSR41 Router as a
> NAT/PAT device for our office network.  We have an application  that uses
> port 20000 and requires internet access, so I set up Port Forwarding.
>  Strange thing happens- When it works, it is solid. But... sometimes the
> port forwarding appears not to work and my Port 20K machine doesn't get
> out.  I have tried packet capture and can see the Private address (port
20K
> inside machine) trying to connect but getting no response.  Packet capture
> on the Public (port 20K outside machine) shows connect attempts but no
> response.  This makes me think that the BFSR41 Forwarding doesn't always
> work.  Have you had any experience with Forwarding?
> JohnW
>
> -----Original Message-----
> From: Jon Carnes [SMTP:jonc at haht.com]
> Sent: Friday, June 30, 2000 3:13 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Vpn does not work with dsl/cable router
>
> Upgrade your firmware.  You probably have an older version.  We use
LinkSys
> routers at our trade shows and at some of our remote sites, all of them
> allow PPTP (ms-vpn) through.
>
> Jon Carnes
> MIS - HAHT Software
> ----- Original Message -----
> From: "Marlon Velasco" <velascom at mindspring.com>
> To: <VPN at SECURITYFOCUS.COM>
> Sent: Thursday, June 29, 2000 11:13 PM
> Subject: Vpn does not work with dsl/cable router
>
>
> > I recently purchased a linksys dsl\cable router to share my internet
> > connection among multiple computers. Since installing this router my vpn
> > client does not work anymore.  What do I need to configure in the router
> to
> > allow vpn access?
> >
> > Thanks,
> > Marlon
> >
> > VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From Per.Jacobsen at UNI-C.DK  Wed Jul  5 03:59:58 2000
From: Per.Jacobsen at UNI-C.DK (Per C. H. Jacobsen)
Date: Wed, 5 Jul 2000 09:59:58 +0200
Subject: Host-to-host VPN/encryption
References: <Pine.GSO.4.21.0006291307170.18142-100000@mail>
            <395C856A.49FA3E13@uni-c.dk> <3961B7C7.5ADCA882@enternet.se>
Message-ID: <3962EAFE.C9FF3925@uni-c.dk>

I've checked out the source. However the "real" SSH DO NOT support the SSH daemon on
NT. Neither the "2 connections server" in the Workstation version nor the Server
version itself.
Per

Mikael Olsson wrote:

> "Per C. H. Jacobsen" wrote:
> > Tried:
> > A SSH daemon on each NT listening on port 22 and a redirecting SSH command
> > forwarding everything from port XXXX to port 22 and on to the other hosts port
> > 22.
> >
> > However I would like the same simple functionality from a better tested, more
> > userfriendly, slightly improved and 100% functioning piece of software.
>
> Go to the source and get the "real", fully supported SSH client from SSH
> Communications themselves: http://commerce.ssh.com/
>
> If they don't know how to develop and test cryptography software, I don't
> know who does.
>
> /Mike
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ?RNSK?LDSVIK
> Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
> Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
> WWW: http://www.enternet.se/       E-mail: mikael.olsson at enternet.se

VPN is sponsored by SecurityFocus.COM



From mlsa at IM.SE  Wed Jul  5 09:44:18 2000
From: mlsa at IM.SE (Standen Malcolm - mlsa)
Date: Wed, 5 Jul 2000 15:44:18 +0200
Subject: OSPF Routing
Message-ID: <ADF55A17B013D211AEEA00805F8B334E042BF561@msxsth1>


Has anybody any experience thoughts on using OSPF as the routing and
advertising protocol in a VPN network, using the virtual interface to
define/learn the routing for site-to-site multi-routed network traffic
verses external non corporate traffic?

Regards

Malcolm


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000705/0b362bdf/attachment.htm 

From shope at ENERGIS-EIS.CO.UK  Wed Jul  5 13:00:56 2000
From: shope at ENERGIS-EIS.CO.UK (Stephen Hope)
Date: Wed, 5 Jul 2000 18:00:56 +0100
Subject: PIX 515R upgrade
Message-ID: <01903665B361D211BF6700805FAD5D935919CA@mail.datarange.co.uk>

Matt,

i have not done this, so usual caveats....

515R is just a 515UR without the unrestricted licence, so takes the same
interface cards.

1. You need 5.1(2) code
2. Add a 1 port interface card (you have to buy this as a spare).
3. send an email to Cisco to get a special key / licence - you need to send
it to:

licence at cisco.com

I understand they can then give you a FOC magic number.

I suggest you send your details, the box serial number, where you got it,
the phase of the moon and anything else you can think of.

We were told this will be sorted in V5.2 (August?) but then they said that
for 5.1.2.....

Regards

Stephen

> -----Original Message-----
> From: Matthew Harkrider [mailto:mhark at INSYNC.NET]
> Sent: Tuesday, July 04, 2000 5:48 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: PIX 515R upgrade
>
>
> Anyone have any information about the 3rd interface upgrade
> on the PIX 515R?
> What card is needed, software activation, etc? Any info.
> would be greatly
> appreciated.
>
> Regards,
> Matthew
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM



From Matt.Mullen at TEAMGDM.COM  Wed Jul  5 14:29:09 2000
From: Matt.Mullen at TEAMGDM.COM (Mullen, Matt)
Date: Wed, 5 Jul 2000 14:29:09 -0400
Subject: PIX 515R upgrade
Message-ID: <B12F53A8D652C445BBB839D6DB3F5D700787DB@phlhqmail1.gdmhq.com>

Here's a list of the add-on cards for the PIX from Cisco's web site:

http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm#xtocid9055

This document says you can only have 2 Ethernet interfaces on the 515R,  but
it's possible Cisco can give you some sort of key to enable a 3rd.   If not
then you will probably have to upgrade to the Unrestricted software.  I have
added PIX-1FE (1 FastEthernet) to 515UR with version 5.1(1).  With the
unrestricted software it is as easy as shut it down,  put card in,  power
back up.  Hope this helps.

Matt

-----Original Message-----
From: Matthew Harkrider [mailto:mhark at INSYNC.NET]
Sent: Tuesday, July 04, 2000 12:48 AM
To: VPN at SECURITYFOCUS.COM
Subject: PIX 515R upgrade


Anyone have any information about the 3rd interface upgrade on the PIX 515R?
What card is needed, software activation, etc? Any info. would be greatly
appreciated.

Regards,
Matthew

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From zarling at BERBEE.COM  Wed Jul  5 23:11:47 2000
From: zarling at BERBEE.COM (Eric Zarling)
Date: Wed, 5 Jul 2000 22:11:47 -0500
Subject: PIX 515R upgrade
In-Reply-To: <B12F53A8D652C445BBB839D6DB3F5D700787DB@phlhqmail1.gdmhq.co m>
Message-ID: <4.2.0.58.20000705221100.00ad8498@berbee.com>

You can also upgrade the PIX software to enable 56 bit encryption and this
should open up all six interfaces for use.

Eric
At 02:29 PM 7/5/2000 -0400, Mullen, Matt wrote:
>Here's a list of the add-on cards for the PIX from Cisco's web site:
>
>http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm#xtocid9055
>
>This document says you can only have 2 Ethernet interfaces on the 515R,  but
>it's possible Cisco can give you some sort of key to enable a 3rd.   If not
>then you will probably have to upgrade to the Unrestricted software.  I have
>added PIX-1FE (1 FastEthernet) to 515UR with version 5.1(1).  With the
>unrestricted software it is as easy as shut it down,  put card in,  power
>back up.  Hope this helps.
>
>Matt
>
>-----Original Message-----
>From: Matthew Harkrider [mailto:mhark at INSYNC.NET]
>Sent: Tuesday, July 04, 2000 12:48 AM
>To: VPN at SECURITYFOCUS.COM
>Subject: PIX 515R upgrade
>
>
>Anyone have any information about the 3rd interface upgrade on the PIX 515R?
>What card is needed, software activation, etc? Any info. would be greatly
>appreciated.
>
>Regards,
>Matthew
>
>VPN is sponsored by SecurityFocus.COM
>
>VPN is sponsored by SecurityFocus.COM

Eric Zarling CCIE #5499 <zarling at berbee.com>
Berbee
N14 W23833 Stone Ridge Drive, Suite 300
Waukesha, Wisconsin 53188
DID 262.521.5626, Main 262.523.5800 FAX: 262.523.5803

Berbee...putting the E in business

VPN is sponsored by SecurityFocus.COM



From michel.nakhla at INTELSAT.INT  Thu Jul  6 10:23:09 2000
From: michel.nakhla at INTELSAT.INT (michel.nakhla at INTELSAT.INT)
Date: Thu, 6 Jul 2000 10:23:09 -0400
Subject: Applications across the Internet and VPN's
Message-ID: <490B4C213EC8D211851F00105A29CA5A01AD0D19@admex1.adm.intelsat.int>

I am setting up a test-bed for testing VPN's in a satellite environment. I
would like to use typical applications in the test-bed for evaluation
purposes. I would appreciate it greatly if current users of VPN's can
provide info on the applications that they are using across their VPN's and
the environment (including platform) in which they are used e.g. open
Internet with no SLAs and multiple providers, single ISP with SLAs and some
QOS etc. I would like also to know which applications were successful, which
were problematic and the ones that did not work at all.


Thanks and Regards

Michel B. Nakhla
INTELSAT
michel.nakhla at intelsat.int

VPN is sponsored by SecurityFocus.COM



From jladwig at NTS.UMN.EDU  Wed Jul  5 22:52:00 2000
From: jladwig at NTS.UMN.EDU (John Ladwig)
Date: Wed, 5 Jul 2000 21:52:00 -0500
Subject: OSPF Routing
In-Reply-To: <ADF55A17B013D211AEEA00805F8B334E042BF561@msxsth1> from Standen
              Malcolm - mlsa at "Jul 5, 2000 03:44:18 pm"
Message-ID: <200007060252.VAA21381@nts.nts.umn.edu>

> Has anybody any experience thoughts on using OSPF as the routing and
> advertising protocol in a VPN network, using the virtual interface to
> define/learn the routing for site-to-site multi-routed network traffic
> verses external non corporate traffic?

We've been trying to raise awareness of the utility of listening to
BGP announcements in a VPN client with every VPN vendor we've gotten
to sit still and listen to us.  The commodity-Internet/ Internet2
split and IP-licensed content examples usually suffice to get the
point across.

None have bitten, so far, though they usually do get real thoughtful,
that whirring-gears distant gaze, if you get a geeky enough
representative in the meeting.

Lemme know if you get any bites, eh?

    -jml

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Thu Jul  6 02:11:37 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Wed, 5 Jul 2000 23:11:37 -0700
Subject: Host-to-host VPN/encryption
References: <Pine.GSO.4.21.0006291307170.18142-100000@mail>
            <395C856A.49FA3E13@uni-c.dk> <3961B7C7.5ADCA882@enternet.se>
            <3962EAFE.C9FF3925@uni-c.dk>
Message-ID: <39642319.C7F1A8EF@pacbell.net>

Well, let me correct that, there is about 3 or 5 different sshd
executables for windows NT [Not that I will run it] I mean NT...
By the way all of the stuff I found was freeware   ;-]
Look around on the web let the fingers do the walking..

Jose Muniz

"Per C. H. Jacobsen" wrote:
>
> I've checked out the source. However the "real" SSH DO NOT support the SSH daemon on
> NT. Neither the "2 connections server" in the Workstation version nor the Server
> version itself.
> Per
>
> Mikael Olsson wrote:
>
> > "Per C. H. Jacobsen" wrote:
> > > Tried:
> > > A SSH daemon on each NT listening on port 22 and a redirecting SSH command
> > > forwarding everything from port XXXX to port 22 and on to the other hosts port
> > > 22.
> > >
> > > However I would like the same simple functionality from a better tested, more
> > > userfriendly, slightly improved and 100% functioning piece of software.
> >
> > Go to the source and get the "real", fully supported SSH client from SSH
> > Communications themselves: http://commerce.ssh.com/
> >
> > If they don't know how to develop and test cryptography software, I don't
> > know who does.
> >
> > /Mike
> >
> > --
> > Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ?RNSK?LDSVIK
> > Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
> > Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
> > WWW: http://www.enternet.se/       E-mail: mikael.olsson at enternet.se
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From shope at ENERGIS-EIS.CO.UK  Thu Jul  6 13:07:04 2000
From: shope at ENERGIS-EIS.CO.UK (Stephen Hope)
Date: Thu, 6 Jul 2000 18:07:04 +0100
Subject: PIX 515R upgrade
Message-ID: <01903665B361D211BF6700805FAD5D935919D2@mail.datarange.co.uk>

Matt,

You may be thinking of the older PIX varients, the 515 is a small
size unit (same chassis as a cisco 2600 router).

The PIX 515R (and the 515UR) has 2 * 10/100 Ethernet built into the
chassis / base module - you only need cards if you want more interfaces.

Only 1 port and 4 port 10/100 cards are supported in the 515UR,
the stuff i have seen implies you may be able to use a 4 port card
in a 515R with the new "add on" licence for a 3rd port, but only the
1 port card isexplicitly mentioned.

Stephen

> -----Original Message-----
> From: Mullen, Matt [mailto:Matt.Mullen at TEAMGDM.COM]
> Sent: Wednesday, July 05, 2000 7:29 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: PIX 515R upgrade
>
>
> Here's a list of the add-on cards for the PIX from Cisco's web site:
>
> http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm#xtocid9055
>
> This document says you can only have 2 Ethernet interfaces on
> the 515R,  but
> it's possible Cisco can give you some sort of key to enable a
> 3rd.   If not
> then you will probably have to upgrade to the Unrestricted
> software.  I have
> added PIX-1FE (1 FastEthernet) to 515UR with version 5.1(1).  With the
> unrestricted software it is as easy as shut it down,  put
> card in,  power
> back up.  Hope this helps.
>
> Matt
>
> -----Original Message-----
> From: Matthew Harkrider [mailto:mhark at INSYNC.NET]
> Sent: Tuesday, July 04, 2000 12:48 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: PIX 515R upgrade
>
>
> Anyone have any information about the 3rd interface upgrade
> on the PIX 515R?
> What card is needed, software activation, etc? Any info.
> would be greatly
> appreciated.
>
> Regards,
> Matthew
>
> VPN is sponsored by SecurityFocus.COM
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Thu Jul  6 02:27:33 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Wed, 5 Jul 2000 23:27:33 -0700
Subject: OSPF Routing
References: <ADF55A17B013D211AEEA00805F8B334E042BF561@msxsth1>
Message-ID: <396426D5.A05A9BCB@pacbell.net>

hello there;

Well, I have actually done it and it took me a few tries.
Here is the secret:

You need to create a tunnel interface on each of the OSPF
neighbors, then you will need 1 static that will point to the
VPN to route to the other side of the tunnel.
You need to do this obviously in all of the participating neighbor
routers.
Then you need to add policy routing so any traffic from the
outside of the VPN is routed directly out and it is not
distributed via OSPF.

If you do not do this then the routes will expire every 30 secs. and
then they get distributed again, making the network unusable every
30 seconds...
The egg and the chicken analogy...
THe pockets will go around and around and around...

The problem is that you can not adjust the MTU on a tunnel interface
and then you will get lots of frags, i think that the MTU is 1470
or so.

It really did not behaive as well as I thought, some applications seemed
to
perform slow, particulary the apps that send big pockets, NFS for
example.

The work that takes to do this is better to use statics, as far as your
networks are diced properly you should not have that many statics per
area.

However it is well worth the fun to play with nested tunnels..   ;-]

Jose Muniz

> Standen Malcolm - mlsa wrote:
>
> Has anybody any experience thoughts on using OSPF as the routing and
> advertising protocol in a VPN network, using the virtual interface to
> define/learn the routing for site-to-site multi-routed network traffic
> verses external non corporate traffic?
>
> Regards
>
> Malcolm

VPN is sponsored by SecurityFocus.COM



From tc at THEBIZ.NET  Thu Jul  6 11:22:00 2000
From: tc at THEBIZ.NET (TC Wolsey)
Date: Thu, 6 Jul 2000 11:22:00 -0400
Subject: OSPF Routing
Message-ID: <Pine.LNX.4.20.0007061045430.23040-100000@shell.thebiz.net>

> Has anybody any experience thoughts on using OSPF as the routing and
> advertising protocol in a VPN network, using the virtual interface to
> define/learn the routing for site-to-site multi-routed network traffic
> verses external non corporate traffic?
>
> Regards
>
> Malcolm

Hrm, are you asking for thoughts on running OSPF as a routing protocol
over VPN encapsulated interfaces? If so, my first thought is that is seems
to be a great deal of overhead for that purpose. For instance:

- If the virtual interfaces service more than one remote site each the VPN
will need to implement some handling of the multicast addresses that OSPF
uses to form adjacencies.

- If transport level filtering can done at the virtual interface, it will
have to accomodate the OSPF protocol specifically. Most other routing
protocols utilize TCP or UDP as a transport protocol.

- All link states must be distributed to all OSPF routers in a given
area. In a typical VPN deployment you may end up with tens or hundreds of
routing table entries that all have the virtual interface as the next
hop. Of course you could always deploy tens or hundreds of stub areas
which may not be much prettier. Not a big deal really, but IMHO route
aggregation makes management and troubleshooting easier.

As an alternative to OSPF I would probably consider RIP v2 or BGP. All
three protocols are standards and support features like variable length
routes and authentication. Just some thoughts....

Regards,
tcw

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Thu Jul  6 16:01:13 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Thu, 6 Jul 2000 16:01:13 -0400
Subject: OSPF Routing
References: <200007060252.VAA21381@nts.nts.umn.edu>
Message-ID: <3964E589.60674CC@storm.ca>

John Ladwig wrote:
>
> > Has anybody any experience thoughts on using OSPF as the routing and
> > advertising protocol in a VPN network, using the virtual interface to
> > define/learn the routing for site-to-site multi-routed network traffic
> > verses external non corporate traffic?
>
> We've been trying to raise awareness of the utility of listening to
> BGP announcements in a VPN client with every VPN vendor we've gotten
> to sit still and listen to us.  The commodity-Internet/ Internet2
> split and IP-licensed content examples usually suffice to get the
> point across.
>
> None have bitten, so far, though they usually do get real thoughtful,
> that whirring-gears distant gaze, if you get a geeky enough
> representative in the meeting.
>
> Lemme know if you get any bites, eh?

There's been considerable discussion of the relation between IPSEC and
routing protocols on the linux-ipsec at clinet.fi list.

List archive:
http://www.sandelman.ottawa.on.ca/linux-ipsec/

Project web site:
http://www.freeswan.org

A paper on "Routing for Linux IPSEC" by one of our users:
http://www.quintillion.com/fdis/moat/ipsec+routing/

This is very much an open issue for FreeS/WAN. Several proposals
have been made, none adopted (let alone implemented). Any comment
you'd care to provide, either here or on that project's list,
would be welcome.

VPN is sponsored by SecurityFocus.COM



From smoore.vpnlist at SECURITYGLOBAL.NET  Thu Jul  6 16:52:27 2000
From: smoore.vpnlist at SECURITYGLOBAL.NET (Stuart Moore)
Date: Thu, 6 Jul 2000 16:52:27 -0400
Subject: VPN deployment experiences?
Message-ID: <3964F18B.5B5FC92F@securityglobal.net>

I?m looking for anyone who has recently deployed a VPN system and would
be willing to discuss those experiences, either via phone, e-mail, or --
if you are in the Washington/Baltimore area -- over lunch or a few
beers.  I?m looking to understand: why you selected what you did, what
you like about the product, what you don?t like, what you?d do
differently next time, etc.

Anonymous results will be made available, probably in September.

If you are interested in participating, please respond off-list to:
    smoore.vpnlist at securityglobal.net.

Thanks.

Stuart

VPN is sponsored by SecurityFocus.COM



From jkmatos at EARTHLINK.NET  Fri Jul  7 01:58:32 2000
From: jkmatos at EARTHLINK.NET (Joseph Matos)
Date: Thu, 6 Jul 2000 22:58:32 -0700
Subject: Remote access vulnerabilities
Message-ID: <006f01bfe7d8$62b14480$8dc3fc9e@amstech>

I am doing some research into vulnerabilities associated with remote access
to VPNs via dialup and cable/DSL. Any help as to resources, points of
contact, or any other information would be greatly appreciated.

Thanks,

Jay Matos

VPN is sponsored by SecurityFocus.COM



From koen.depovere at EA.MONSANTO.COM  Fri Jul  7 07:57:51 2000
From: koen.depovere at EA.MONSANTO.COM (DEPOVERE, KOEN [FND/5040])
Date: Fri, 7 Jul 2000 13:57:51 +0200
Subject: OSPF Routing
Message-ID: <EF112512941ED311803600508B0F1ECA01D9FA63@ems5040-01.euro.monsanto.com>

Jose,
I haven't thought on using tunnel-interfaces, but I can imagine this works
when you enable ospf on the tunnel.  This creates of course again some
overhead, so it doesn't surprise me that applications don't perform that
well.
On the other hand, can you please explain more the policy routing part? What
do you mean by traffic from outside the VPN?
I know that policy routing is based on source address in stead of
destination address, but I don't get the link here?
Why would a route expire every 30 seconds?

Thanks,
Koen

> -----Original Message-----
> From: Jose Muniz [mailto:MuniX-1 at Pacbell.net]
> Sent: Thursday, July 06, 2000 8:28 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: OSPF Routing
>
>
> hello there;
>
> Well, I have actually done it and it took me a few tries.
> Here is the secret:
>
> You need to create a tunnel interface on each of the OSPF
> neighbors, then you will need 1 static that will point to the
> VPN to route to the other side of the tunnel.
> You need to do this obviously in all of the participating neighbor
> routers.
> Then you need to add policy routing so any traffic from the
> outside of the VPN is routed directly out and it is not
> distributed via OSPF.
>
> If you do not do this then the routes will expire every 30 secs. and
> then they get distributed again, making the network unusable every
> 30 seconds...
> The egg and the chicken analogy...
> THe pockets will go around and around and around...
>
> The problem is that you can not adjust the MTU on a tunnel interface
> and then you will get lots of frags, i think that the MTU is 1470
> or so.
>
> It really did not behaive as well as I thought, some
> applications seemed
> to
> perform slow, particulary the apps that send big pockets, NFS for
> example.
>
> The work that takes to do this is better to use statics, as
> far as your
> networks are diced properly you should not have that many statics per
> area.
>
> However it is well worth the fun to play with nested tunnels..   ;-]
>
> Jose Muniz
>
> > Standen Malcolm - mlsa wrote:
> >
> > Has anybody any experience thoughts on using OSPF as the routing and
> > advertising protocol in a VPN network, using the virtual
> interface to
> > define/learn the routing for site-to-site multi-routed
> network traffic
> > verses external non corporate traffic?
> >
> > Regards
> >
> > Malcolm
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM



From bekoin at GLOBEACCESS.NET  Sat Jul  8 12:08:46 2000
From: bekoin at GLOBEACCESS.NET (Olivier Bekoin)
Date: Sat, 8 Jul 2000 16:08:46 +0000
Subject: need explanations
Message-ID: <3967520D.AA69FE9E@globeaccess.net>

Hello,

when i go to this page (http://www.data.com/article/DCM20000510S0053),
they write
something that i don't understand. If you can give more explainations, i
will
be very happy
They  write : "...    and the typical time-sensitivity of the data(which
determines the key length required)."  I don't understand the part of
this sentence which is in step 5, third line

thanks

olivier

VPN is sponsored by SecurityFocus.COM



From Ron at DURASTRESS.COM  Fri Jul  7 14:25:17 2000
From: Ron at DURASTRESS.COM (Ron Buskirk)
Date: Fri, 7 Jul 2000 14:25:17 -0400
Subject: Sonicwall and Microsoft Proxy
Message-ID: <1170A2723E12D411A4CF00805FC144325F6B@comsvr1.durastress.com>

I am trying to allow remote access to my lan via VPN through our Sonicwall
Pro firewall and through Microsoft Proxy Server which is installed on our
communications server which is on the LAN side of the firewall.  We would
like to use Proxy Server for internal Internet access control of LAN clients
and for web caching capabilities, and use the Sonicwall primarily for
blocking unwanted traffic from the Internet.

I can connect to, and remotely manage, the Sonicwall from the remote PC
(dial up internet access) through the use of the Sonicwall VPN Client
software.  While connected I can ping the public NIC on the
communication/Proxy server, but not the NIC on the LAN side.  I have
disabled packet filtering in Proxy Server which I thought would solve the
problem, but it made no difference.

The Sonicwall uses IPSec for communications with the Client.  When the data
from the client comes to the Sonicwall, and Sonicwall passes the data along,
does Sonicwall convert the data to TCP/IP again?  Could this be my problem?
Can I use Proxy Server along with Sonicwall?

Any help would be greatly appreciated.

Ron Buskirk
Network Administrator
Dura-Stress, Inc.

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Sat Jul  8 02:11:30 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Fri, 7 Jul 2000 23:11:30 -0700
Subject: OSPF Routing
References: <EF112512941ED311803600508B0F1ECA01D9FA63@ems5040-01.euro.monsanto.com>
Message-ID: <3966C612.40227960@pacbell.net>

Well, you need the policy routing because at least in my implementation
I did have the VPN at the WAN layer of a 7507 cisco.
Then I found a problem, the OSPF neighbors that were connected via VPN
disapear every 30 secconds.
So actually let me correct that, when the OSPF distributed routes
were learned then the problem started.
As you know it happened exactly every 30 secconds.
Here is my theory of why that happened:
The router learn that to get to the neighbor it needs to send the
traffic
over the tunnel interface, therefore the packets where going around and
around and around...
They were probably traveling to the future, ala time machine...

>From X to the inside interface of the VPN and they get out encapsulated
on the outside interface of the VPN therefore when the packets came out
of the unstrusted side of the VPN, unstead of going straight up they
went
back to the tunnel interface.
As soon as I aply policy routing to force the traffic with a source IP
of the VPN outside interface, then it work and the OSPF neighbors
where there, without the flakyness behaivour that I was observing.

There might be other ways to get this to work other thatn policy routing
however that is what came to mind and did the job.

About apps performing poorly, I was able to minimixe the delay and
make the bandwith better than the tunnel interface default and
seem to help a bit however did not perform as well as I thought.

Jose Muniz


"DEPOVERE, KOEN [FND/5040]" wrote:
>
> Jose,
> I haven't thought on using tunnel-interfaces, but I can imagine this works
> when you enable ospf on the tunnel.  This creates of course again some
> overhead, so it doesn't surprise me that applications don't perform that
> well.
> On the other hand, can you please explain more the policy routing part? What
> do you mean by traffic from outside the VPN?
> I know that policy routing is based on source address in stead of
> destination address, but I don't get the link here?
> Why would a route expire every 30 seconds?
>
> Thanks,
> Koen
>
> > -----Original Message-----
> > From: Jose Muniz [mailto:MuniX-1 at Pacbell.net]
> > Sent: Thursday, July 06, 2000 8:28 AM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Re: OSPF Routing
> >
> >
> > hello there;
> >
> > Well, I have actually done it and it took me a few tries.
> > Here is the secret:
> >
> > You need to create a tunnel interface on each of the OSPF
> > neighbors, then you will need 1 static that will point to the
> > VPN to route to the other side of the tunnel.
> > You need to do this obviously in all of the participating neighbor
> > routers.
> > Then you need to add policy routing so any traffic from the
> > outside of the VPN is routed directly out and it is not
> > distributed via OSPF.
> >
> > If you do not do this then the routes will expire every 30 secs. and
> > then they get distributed again, making the network unusable every
> > 30 seconds...
> > The egg and the chicken analogy...
> > THe pockets will go around and around and around...
> >
> > The problem is that you can not adjust the MTU on a tunnel interface
> > and then you will get lots of frags, i think that the MTU is 1470
> > or so.
> >
> > It really did not behaive as well as I thought, some
> > applications seemed
> > to
> > perform slow, particulary the apps that send big pockets, NFS for
> > example.
> >
> > The work that takes to do this is better to use statics, as
> > far as your
> > networks are diced properly you should not have that many statics per
> > area.
> >
> > However it is well worth the fun to play with nested tunnels..   ;-]
> >
> > Jose Muniz
> >
> > > Standen Malcolm - mlsa wrote:
> > >
> > > Has anybody any experience thoughts on using OSPF as the routing and
> > > advertising protocol in a VPN network, using the virtual
> > interface to
> > > define/learn the routing for site-to-site multi-routed
> > network traffic
> > > verses external non corporate traffic?
> > >
> > > Regards
> > >
> > > Malcolm
> >
> > VPN is sponsored by SecurityFocus.COM
> >

VPN is sponsored by SecurityFocus.COM



From lists at FIPS.DE  Fri Jul  7 06:56:54 2000
From: lists at FIPS.DE (Philipp Buehler)
Date: Fri, 7 Jul 2000 12:56:54 +0200
Subject: Have an outline of the technology needed to build a VPN
In-Reply-To: <E5FE1B67A53DD311BE210008C791C7E4AFE1F4@emyklnt153.ao.ericsson.se>; "Muhamad Hamdan (BCM)" on 13.06.2000
              @ 05:33:59 METDST
References: <E5FE1B67A53DD311BE210008C791C7E4AFE1F4@emyklnt153.ao.ericsson.se>
Message-ID: <20000707125654.A14565@pohl.fips.de>

Muhamad Hamdan (BCM) wrote To VPN at SECURITYFOCUS.COM:
> What sort of technology needed to build a Virtual Private Network?
Basically clue :)

In fact Hard- and/or Software which tunnels and optional encrypt
your private traffic to hide it from the publich network.

http://www.firstvpn.com/ maybe a start.

ciao
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>

%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.

VPN is sponsored by SecurityFocus.COM



From bekoin at GLOBEACCESS.NET  Sat Jul  8 11:35:35 2000
From: bekoin at GLOBEACCESS.NET (Olivier Bekoin)
Date: Sat, 8 Jul 2000 15:35:35 +0000
Subject: FW to FW vpns
Message-ID: <39674A46.B8EF2587@globeaccess.net>

Hi,

I have my VPN server behind my firewall I would like to know what ports
for what protocols or what things I can do to allow firewall to firewall
VPN to my 2 sites.
Can any1 tell me

Thanks in advance

Olivier

VPN is sponsored by SecurityFocus.COM



From misha at INSYNC.NET  Fri Jul  7 15:38:59 2000
From: misha at INSYNC.NET (Misha)
Date: Fri, 7 Jul 2000 14:38:59 -0500
Subject: PIX 515R upgrade
In-Reply-To: <01903665B361D211BF6700805FAD5D935919D2@mail.datarange.co.uk>
Message-ID: <Pine.GSO.4.21.0007071435280.27707-100000@vellocet.insync.net>

We actually tried the 4 port card in the 515R with v5.12 and came up with
a license restriction. The software may sense more than 3 interface though
and raise red flags on that. Has anyway tried a Pix 515R, v5.12 and 3
interfaces yet?

Just to clarify things, Cisco did promise that 5.12 will expand the number
of interfaces on the 515R to 3, but the release notes do not mention this
at all. This has mostly been done because the 506 offers pretty much the
same performance (I would not attempt more than 10mbps on a 515 anyway),
so they are trying to sweeten up the 515 deal with more functionality.

--
Misha Govshteyn                                  (p) (713) 407-7000 x120
Director, Advanced Technical Services            (f) (713) 407-7070
Insync Internet Services, Inc.                   (e) misha at insync.net

On Thu, 6 Jul 2000, Stephen Hope wrote:


> Matt,
>
> You may be thinking of the older PIX varients, the 515 is a small
> size unit (same chassis as a cisco 2600 router).
>
> The PIX 515R (and the 515UR) has 2 * 10/100 Ethernet built into the
> chassis / base module - you only need cards if you want more interfaces.
>
> Only 1 port and 4 port 10/100 cards are supported in the 515UR,
> the stuff i have seen implies you may be able to use a 4 port card
> in a 515R with the new "add on" licence for a 3rd port, but only the
> 1 port card isexplicitly mentioned.
>
> Stephen
>
> > -----Original Message-----
> > From: Mullen, Matt [mailto:Matt.Mullen at TEAMGDM.COM]
> > Sent: Wednesday, July 05, 2000 7:29 PM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: Re: PIX 515R upgrade
> >
> >
> > Here's a list of the add-on cards for the PIX from Cisco's web site:
> >
> > http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm#xtocid9055
> >
> > This document says you can only have 2 Ethernet interfaces on
> > the 515R,  but
> > it's possible Cisco can give you some sort of key to enable a
> > 3rd.   If not
> > then you will probably have to upgrade to the Unrestricted
> > software.  I have
> > added PIX-1FE (1 FastEthernet) to 515UR with version 5.1(1).  With the
> > unrestricted software it is as easy as shut it down,  put
> > card in,  power
> > back up.  Hope this helps.
> >
> > Matt
> >
> > -----Original Message-----
> > From: Matthew Harkrider [mailto:mhark at INSYNC.NET]
> > Sent: Tuesday, July 04, 2000 12:48 AM
> > To: VPN at SECURITYFOCUS.COM
> > Subject: PIX 515R upgrade
> >
> >
> > Anyone have any information about the 3rd interface upgrade
> > on the PIX 515R?
> > What card is needed, software activation, etc? Any info.
> > would be greatly
> > appreciated.
> >
> > Regards,
> > Matthew
> >
> > VPN is sponsored by SecurityFocus.COM
> >
> > VPN is sponsored by SecurityFocus.COM
> >
>
> -----------------------------------------------------------------------------------------------------------
>
> This email is confidential and intended solely for the use of the individual to
> whom it is addressed. Any views or opinions presented are solely those of the
> author and do not necessarily represent those of Energis Integration Services.
> If you are not the intended recipient, be advised that you have received this
> email in error and that any use, dissemination, forwarding, printing, or copying
> of this email is strictly prohibited.
>
> We have an anti-virus system installed on all our PC's and therefore any files
> leaving us via e-mail will have been checked for known viruses.
> Energis Integration Services accepts no responsibility once an e-mail
> and any attachments leave us.
>
> If you have received this email in error please notify Energis Integration Services Communications
> IT department on +44 (0) 1494 476222..
> -----------------------------------------------------------------------------------------------------------
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM



From rizal at MIMOS.MY  Mon Jul 10 06:39:44 2000
From: rizal at MIMOS.MY (Mohammad Rizal Othman)
Date: Mon, 10 Jul 2000 18:39:44 +0800
Subject: IP-Granite
Message-ID: <Pine.GSO.4.20.0007101837340.7840-100000@ew>

Has anybody used IP-Granite?  We need to inter-operate OpenBSD 2.7 and
IP-Granite, but so far failed to receive any proposal from the
IP-Granite.  Just for the sake of information, IP-Granite was configured
as a bridge with no IP address on the external interface.

Perfection consists not in doing extraordinary things but in
doing "ordinary things extraordinarily well."
                      -- Antonio Stradivari

VPN is sponsored by SecurityFocus.COM



From cindy_slosar at YAHOO.CA  Fri Jul  7 15:01:58 2000
From: cindy_slosar at YAHOO.CA (Cindy Slosar)
Date: Fri, 7 Jul 2000 15:01:58 -0400
Subject: Uploading across the VPN
Message-ID: <20000707190158.21987.qmail@web1505.mail.yahoo.com>

Hi,

I have a VPN set up using Windows 2000 Server at
either end.  I made a connection at each office using
the "Make a new connection" wizard within Network and
Dial-up Connections and shared it so all my users can
use it.  I am able to view files across the VPN and
I'm also able to download files.  However, if I try to
copy a file from my office and upload it to a server
at the other office, I get an error saying "Cannot
copy filename:  The specified network name is no
longer available."

Why am I able to download but not upload?  I noticed
that within my VPN connection properties, it says that
the server type I am connecting to is a PPP server.
Is this my problem?  Shouldn't it be PPTP?  How can I
make the server a PPTP server?

I know there are many questions.  I thank you for your
time to read and answer them.

Thanks in advance,
Cindy

_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Mon Jul 10 15:21:30 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Mon, 10 Jul 2000 21:21:30 +0200
Subject: OSPF Routing
In-Reply-To: <ADF55A17B013D211AEEA00805F8B334E042BF561@msxsth1>
Message-ID: <4.2.0.58.20000710211502.009f6790@brussels.cisco.com>

Just a late reply...

Actually, it is a pretty common configuration for large scale (100+) VPN.

Using OSPF, or any other routing protocols, allows for:
- adding resilience and load balancing
- detect failure of a remote peer (to avoid the issue of IKE keep-alives or
   enhanced ping or ...)
- adding some more dynamic changes (like addressing) without having
   to reconfigure the VPN

As I'm working for Cisco, I have only experience with Cisco routers, but,
the trick on our boxes is:
- define a tunnel interface (meaning using GRE encapsulation)
- protect the GRE tunnel by IPSec in transport mode (transport mode has
   much less overhead and the IPSec-transport+GRE has roughly the same
   overhead as IPSec-tunnel)
- run a routing process (can have multiple independant OSPF in the same box)
   which works only on the tunnel interface(s) and on the protected interface(s)
   NOT on the interface to the 'dirty' network.
- run a routing process only on the 'dirty' interfaces (this can be as simple
   as a default static route!)

Works like a charm :-)

-eric

At 15:44 05/07/2000 +0200, Standen Malcolm - mlsa wrote:

>Has anybody any experience thoughts on using OSPF as the routing and advertising protocol in a VPN network, using the virtual interface to define/learn the routing for site-to-site multi-routed network traffic verses external non corporate traffic?
>
>Regards
>
>Malcolm

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000710/cafb89bf/attachment.htm 

From tbird at PRECISION-GUESSWORK.COM  Mon Jul 10 13:08:12 2000
From: tbird at PRECISION-GUESSWORK.COM (Tina Bird)
Date: Mon, 10 Jul 2000 12:08:12 -0500
Subject: Linux Access to an Altiga C15 protected Network (fwd)
Message-ID: <Pine.LNX.4.10.10007101207550.2568-100000@kuspy.phsx.ukans.edu>

---------- Forwarded message ----------
Date: Fri, 7 Jul 2000 17:33:51 -0700
From: Nate Prodromou <NProdromou at peregrine-semi.com>
To: tbird at precision-guesswork.com
Subject: Linux Access to an Altiga C15 protected Network

Hello Tina,

My company just purchased an Altiga VPN router to do SecureID for clients
coming over the internet.  It then does user authentication for our NT
domain.  I am wondering if there is a Linux client that can connect to the
Altiga C15 and authenticate using an NT domain password.  I believe that the
Altiga product supports PPTP, but have no idea if the client listed on your
page will allow it to authenticate into our domain.  I don't have a great
deal of experience supporting Linux, but want to see if there is an answer
that I can give to some of our designers here who want to access our
internal network from their Linux machines at home.  I'm not sure if it
matters, but all of the interested parties are running Red Hat 6.2 at home.


Nathan A. Prodromou
Information Systems Support
Peregrine Semiconductor Corp
6175 Nancy Ridge Dr. Suite 100
San Diego, CA 92121

(858)455-0660 x184
Fax: 455-0770

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Mon Jul 10 15:57:05 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Mon, 10 Jul 2000 15:57:05 -0400
Subject: FW to FW vpns
References: <39674A46.B8EF2587@globeaccess.net>
Message-ID: <396A2A91.1890334@storm.ca>

Olivier Bekoin wrote:
>
> Hi,
>
> I have my VPN server behind my firewall I would like to know what ports
> for what protocols or what things I can do to allow firewall to firewall
> VPN to my 2 sites.
> Can any1 tell me
>
If it is an IPSEC VPN, you need to pass UDP port 500 for the IKE negotiations
and at least one of protocols 50 (ESP) and 51 (AH).

VPN is sponsored by SecurityFocus.COM



From neil.ratzlaff at UCOP.EDU  Mon Jul 10 15:14:19 2000
From: neil.ratzlaff at UCOP.EDU (Neil Ratzlaff)
Date: Mon, 10 Jul 2000 12:14:19 -0700
Subject: need explanations
In-Reply-To: <3967520D.AA69FE9E@globeaccess.net>
Message-ID: <4.2.0.58.20000710121016.00a77100@popserv.ucop.edu>

Any encryption can be broken/solved.  The longer the key, the longer it is
likely to take to break the encryption, though someone could get lucky and
break the key on the first try.  Example:  for data that won't be important
for more than a week, you can use a 56 bit key, but for data that is
critical for years, use a 512 bit key.  (I just picked key lengths out of
the air.....)

Neil


At 04:08 PM 7/8/00 +0000, Olivier Bekoin wrote:
>Hello,
>
>when i go to this page (http://www.data.com/article/DCM20000510S0053),
>they write something that i don't understand. If you can give more
>explainations, i
>will be very happy
>They  write : "...    and the typical time-sensitivity of the data(which
>determines the key length required)."  I don't understand the part of
>this sentence which is in step 5, third line
>
>thanks
>
>olivier
>
>VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Mon Jul 10 15:51:00 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Mon, 10 Jul 2000 15:51:00 -0400
Subject: need explanations
References: <3967520D.AA69FE9E@globeaccess.net>
Message-ID: <396A2924.25988598@storm.ca>

Olivier Bekoin wrote:
>
> Hello,
>
> when i go to this page (http://www.data.com/article/DCM20000510S0053),
> they write
> something that i don't understand. If you can give more explainations, i
> will
> be very happy
> They  write : "...    and the typical time-sensitivity of the data(which
> determines the key length required)."  I don't understand the part of
> this sentence which is in step 5, third line

The idea is that you can use a shorter key length for data that need
only be protected for a short time, reserving the strong security for
data that needs long-term protection. If it doesn't matter whether an
enemy gets yesterday's data, who cares if the cipher takes a month or
an aeon to break?

I consider this idea bogus for several reasons.

First, larger key length does not imply higher overheads. Several common
128-bit ciphers (Blowfish, CAST-128, even IDEA which is the slowest of
this group) are significantly faster than 56-bit DES, for example.
Blowfish can use a 400-odd bit key at no extra cost, RC4 up to 2048.
It isn't clear that this gains you anything over using a minimum
secure key size, say 128 bits, but it costs nothing.

The only times the overheads of longer keys for symmetric cipher are
actually a concern are:

   if building large keys exhausts your supply of random numbers

   if you use triple DES, which actually does take three times the
     computation that DES does
    (and roughly 10 times CAST-128 or Blowfish)

Overheads are a concern with public key ciphers. There longer keys
mean both more arithmetic and more security.

Second, you cannot predict what wiil be useful to an enemy, or how
he or she will use it. There's a long history of intelligence
folk deducing interesting things from apparently trivial data.
Deny an enemy as much data as possible, just to be on the safe
side.

In short, the notion that different symmetric key sizes should be
used for different levels of security is a myth. The only reason
there has ever been to use an inadequate key size was to comply
with export restrictions.

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Mon Jul 10 15:31:47 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Mon, 10 Jul 2000 21:31:47 +0200
Subject: need explanations
In-Reply-To: <3967520D.AA69FE9E@globeaccess.net>
Message-ID: <4.2.0.58.20000710212518.00a122d0@brussels.cisco.com>

There is a relation between the three quantities:
- key length
- lifetime
- price of the secret

The issue is that most (if not all) secrets have both a price
for the secret owner and a duration:
- credit card: maximum amount + expiration date
- ...

Having the price and duration for your secret, you can then derive
the key length. The larger the key, the longer time is needed by a
cracker to crack your cipher text. 56-bits cost 250 kUSD in 1998 to
break in 4 days.

Applying simple computation rules (if I did not make errors!):
- a 1 MUSD secret can be protected only for 1 day by 56-bits DES...
- a 1 kUSD secret can be protected only for 1 second by the old '40-bits
   DES' (2**40 keys to be tried instead of 2**56 keys => job is 2**16
   = 65536 times easier)
- ...

The above explanation is somehow over-simplified and the cost is assumed
to follow Moore's law

Hope this helps

-eric

At 16:08 08/07/2000 +0000, Olivier Bekoin wrote:
>Hello,
>
>when i go to this page (http://www.data.com/article/DCM20000510S0053),
>they write
>something that i don't understand. If you can give more explainations, i
>will
>be very happy
>They  write : "...    and the typical time-sensitivity of the data(which
>determines the key length required)."  I don't understand the part of
>this sentence which is in step 5, third line
>
>thanks
>
>olivier
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From jsdy at COSPO.OSIS.GOV  Mon Jul 10 16:17:56 2000
From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao)
Date: Mon, 10 Jul 2000 16:17:56 -0400
Subject: need explanations
In-Reply-To: <3967520D.AA69FE9E@globeaccess.net>; from bekoin@globeaccess.net
              on Sat, Jul 08, 2000 at 04:08:46PM +0000
References: <3967520D.AA69FE9E@globeaccess.net>
Message-ID: <20000710161756.D21001@washington.cospo.osis.gov>

On Sat, Jul 08, 2000 at 04:08:46PM +0000, Olivier Bekoin wrote:
> when i go to this page (http://www.data.com/article/DCM20000510S0053),
> they write
> something that i don't understand. If you can give more explainations, i
> will
> be very happy
> They  write : "...    and the typical time-sensitivity of the data(which
> determines the key length required)."  I don't understand the part of
> this sentence which is in step 5, third line

This article was by Tina Bird!  But she has not yet responded.  I would
guess that this only refers to time sensitivity in real-time
applications.  I.e., you would NOT want to do an encryption that takes
a lot of time on a line monitoring someone's pulse!  On the other hand,
the same computation might be perfectly valid for data that can wait a
minute, e.g., stock quotes, racetrack results, and other like items.

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Mon Jul 10 15:25:10 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Mon, 10 Jul 2000 21:25:10 +0200
Subject: FW to FW vpns
In-Reply-To: <39674A46.B8EF2587@globeaccess.net>
Message-ID: <4.2.0.58.20000710212430.00a1ac20@brussels.cisco.com>

I guess we need to know what kind of protocols is used by your VPN :-)
IPSec+IKE, PPTP+MPPE, GRE, Xyzzy, ...

Regards

-eric

At 15:35 08/07/2000 +0000, Olivier Bekoin wrote:
>Hi,
>
>I have my VPN server behind my firewall I would like to know what ports
>for what protocols or what things I can do to allow firewall to firewall
>VPN to my 2 sites.
>Can any1 tell me
>
>Thanks in advance
>
>Olivier
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From vector at BELLSOUTH.NET  Mon Jul 10 15:08:26 2000
From: vector at BELLSOUTH.NET (Vector '00 (The Millenium Edition))
Date: Mon, 10 Jul 2000 14:08:26 -0500
Subject: VPN Help!
Message-ID: <396A1F2A.7E862FA8@bellsouth.net>

I am looking for some VPN help, I have the configuration of the VPN
down pat, but I have a Raptor Firewall 6.0 for NT with VPN support
in the "way" of the VPN.

There is an NT Workstation Box, which is the Firewall that's connected
directory to a T1, then the Primary Domain Controller, which will be the
VPN server is behind the Firewall.

Can someone please help me (respond directly to this address) on how to
setup a basic Microsoft VPN through the Raptor Firewall with this
setup.

I can provide any information about the system that anyone needs. :)

Thank you for your support and help in advance!

--

===.oO0 vector at bellsouth.net 0Oo.===
=== http://www.bard.net/supra-owners/vector89t ===

--
1989 "Please Gimme a Ticket Red" Turbo
1987 "Almost DeLorean Silver" N/A
1984 "Gee, I shouldn't of hit the bus" 200SX Turbo
--

"The Toyota Supra Turbo ...
        ... anything else, is just traffic!"

VPN is sponsored by SecurityFocus.COM



From kemp at INDUSRIVER.COM  Mon Jul 10 15:58:22 2000
From: kemp at INDUSRIVER.COM (Brad Kemp)
Date: Mon, 10 Jul 2000 15:58:22 -0400
Subject: need explanations
In-Reply-To: <3967520D.AA69FE9E@globeaccess.net>
Message-ID: <3.0.3.32.20000710155822.009e9280@pop3.indusriver.com>

Time-sensitivity of encrypted data refers to how long it is important
the data remain encrypted. For instance since some stock quote
vendors sell real-time stock quotes and give away stock quotes
that are delayed 15 minutes, it is important for them that their data
cannot be decrypted in less than 15 minutes.  (Single DES is probobly good
enough for them). Other traffic such as bank transactions need to be
undecipherable for a much longer period of time, therefore a longer key
size is required. With some cyphers a longer key means more CPU cycles needed
to encrypt and decrypt. Other cyphers (mostly stream cyphers) do not have
a penalty associated with longer key sizes.

Brad


At 04:08 PM 7/8/00 +0000, Olivier Bekoin wrote:
>Hello,
>
>when i go to this page (http://www.data.com/article/DCM20000510S0053),
>they write
>something that i don't understand. If you can give more explainations, i
>will
>be very happy
>They  write : "...    and the typical time-sensitivity of the data(which
>determines the key length required)."  I don't understand the part of
>this sentence which is in step 5, third line
>
>thanks
>
>olivier
>
>VPN is sponsored by SecurityFocus.COM
>
--- -- --
Brad Kemp
Indus River Networks, Inc.                   BradKemp at indusriver.com
31 Nagog Park						 978-266-8122
Acton, MA 01720                              fax 978-266-8111

VPN is sponsored by SecurityFocus.COM



From darrinm at MMINTERNET.COM  Tue Jul 11 17:08:06 2000
From: darrinm at MMINTERNET.COM (Darrin Mourer)
Date: Tue, 11 Jul 2000 14:08:06 -0700
Subject: need explanations
References: <3967520D.AA69FE9E@globeaccess.net>  <396A2924.25988598@storm.ca>
Message-ID: <003e01bfeb7c$1c41f560$8a04b3d0@b2bstores.com>

I'm researching the different types of encryption available for VPN's and
there doesn't seem to be any good single point of reference for this exact
type of information on bandwidth cost, comparisons, and cryptoanalysis
tests/results. Any suggestions?

tia
darrin
darrinm at mminternet.com

----- Original Message -----
From: Sandy Harris <sandy at STORM.CA>
To: <VPN at SECURITYFOCUS.COM>
Sent: Monday, July 10, 2000 12:51 PM
Subject: Re: need explanations


> Olivier Bekoin wrote:
> >
> > Hello,
> >
> > when i go to this page (http://www.data.com/article/DCM20000510S0053),
> > they write
> > something that i don't understand. If you can give more explainations, i
> > will
> > be very happy
> > They  write : "...    and the typical time-sensitivity of the data(which
> > determines the key length required)."  I don't understand the part of
> > this sentence which is in step 5, third line
>
> The idea is that you can use a shorter key length for data that need
> only be protected for a short time, reserving the strong security for
> data that needs long-term protection. If it doesn't matter whether an
> enemy gets yesterday's data, who cares if the cipher takes a month or
> an aeon to break?
>
> I consider this idea bogus for several reasons.
>
> First, larger key length does not imply higher overheads. Several common
> 128-bit ciphers (Blowfish, CAST-128, even IDEA which is the slowest of
> this group) are significantly faster than 56-bit DES, for example.
> Blowfish can use a 400-odd bit key at no extra cost, RC4 up to 2048.
> It isn't clear that this gains you anything over using a minimum
> secure key size, say 128 bits, but it costs nothing.
>
> The only times the overheads of longer keys for symmetric cipher are
> actually a concern are:
>
>    if building large keys exhausts your supply of random numbers
>
>    if you use triple DES, which actually does take three times the
>      computation that DES does
>     (and roughly 10 times CAST-128 or Blowfish)
>
> Overheads are a concern with public key ciphers. There longer keys
> mean both more arithmetic and more security.
>
> Second, you cannot predict what wiil be useful to an enemy, or how
> he or she will use it. There's a long history of intelligence
> folk deducing interesting things from apparently trivial data.
> Deny an enemy as much data as possible, just to be on the safe
> side.
>
> In short, the notion that different symmetric key sizes should be
> used for different levels of security is a myth. The only reason
> there has ever been to use an inadequate key size was to comply
> with export restrictions.
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM



From shope at ENERGIS-EIS.CO.UK  Tue Jul 11 13:09:54 2000
From: shope at ENERGIS-EIS.CO.UK (Stephen Hope)
Date: Tue, 11 Jul 2000 18:09:54 +0100
Subject: PIX 515R upgrade
Message-ID: <01903665B361D211BF6700805FAD5D935919F2@mail.datarange.co.uk>

Misha,

one of our sister companies uses 515UR resilient pairs to protect web farms
- they seem happy that they can fill a 100M port (they use this for tape
backup in some cases).

515R has the same performance - the difference in memory size only affects
the number of simultaneous sessions.

Stephen

> -----Original Message-----
> From: Misha [mailto:misha at INSYNC.NET]
> Sent: Friday, July 07, 2000 8:39 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: PIX 515R upgrade
>
>
> We actually tried the 4 port card in the 515R with v5.12 and
> came up with
> a license restriction. The software may sense more than 3
> interface though
> and raise red flags on that. Has anyway tried a Pix 515R, v5.12 and 3
> interfaces yet?
>
> Just to clarify things, Cisco did promise that 5.12 will
> expand the number
> of interfaces on the 515R to 3, but the release notes do not
> mention this
> at all. This has mostly been done because the 506 offers
> pretty much the
> same performance (I would not attempt more than 10mbps on a
> 515 anyway),
> so they are trying to sweeten up the 515 deal with more functionality.
>
> --
> Misha Govshteyn                                  (p) (713)
> 407-7000 x120
> Director, Advanced Technical Services            (f) (713) 407-7070
> Insync Internet Services, Inc.                   (e) misha at insync.net
>
> On Thu, 6 Jul 2000, Stephen Hope wrote:
>
>
> > Matt,
> >
> > You may be thinking of the older PIX varients, the 515 is a small
> > size unit (same chassis as a cisco 2600 router).
> >
> > The PIX 515R (and the 515UR) has 2 * 10/100 Ethernet built into the
> > chassis / base module - you only need cards if you want
> more interfaces.
> >
> > Only 1 port and 4 port 10/100 cards are supported in the 515UR,
> > the stuff i have seen implies you may be able to use a 4 port card
> > in a 515R with the new "add on" licence for a 3rd port, but only the
> > 1 port card isexplicitly mentioned.
> >
> > Stephen
> >
> > > -----Original Message-----
> > > From: Mullen, Matt [mailto:Matt.Mullen at TEAMGDM.COM]
> > > Sent: Wednesday, July 05, 2000 7:29 PM
> > > To: VPN at SECURITYFOCUS.COM
> > > Subject: Re: PIX 515R upgrade
> > >
> > >
> > > Here's a list of the add-on cards for the PIX from
> Cisco's web site:
> > >
> > > http://www.cisco.com/univercd/cc/td/doc/pcat/fw.htm#xtocid9055
> > >
> > > This document says you can only have 2 Ethernet interfaces on
> > > the 515R,  but
> > > it's possible Cisco can give you some sort of key to enable a
> > > 3rd.   If not
> > > then you will probably have to upgrade to the Unrestricted
> > > software.  I have
> > > added PIX-1FE (1 FastEthernet) to 515UR with version
> 5.1(1).  With the
> > > unrestricted software it is as easy as shut it down,  put
> > > card in,  power
> > > back up.  Hope this helps.
> > >
> > > Matt
> > >
> > > -----Original Message-----
> > > From: Matthew Harkrider [mailto:mhark at INSYNC.NET]
> > > Sent: Tuesday, July 04, 2000 12:48 AM
> > > To: VPN at SECURITYFOCUS.COM
> > > Subject: PIX 515R upgrade
> > >
> > >
> > > Anyone have any information about the 3rd interface upgrade
> > > on the PIX 515R?
> > > What card is needed, software activation, etc? Any info.
> > > would be greatly
> > > appreciated.
> > >
> > > Regards,
> > > Matthew
> > >
> > > VPN is sponsored by SecurityFocus.COM
> > >
> > > VPN is sponsored by SecurityFocus.COM
> > >
> >
> >
> --------------------------------------------------------------
> ---------------------------------------------
> >
> > This email is confidential and intended solely for the use
> of the individual to
> > whom it is addressed. Any views or opinions presented are
> solely those of the
> > author and do not necessarily represent those of Energis
> Integration Services.
> > If you are not the intended recipient, be advised that you
> have received this
> > email in error and that any use, dissemination, forwarding,
> printing, or copying
> > of this email is strictly prohibited.
> >
> > We have an anti-virus system installed on all our PC's and
> therefore any files
> > leaving us via e-mail will have been checked for known viruses.
> > Energis Integration Services accepts no responsibility once
> an e-mail
> > and any attachments leave us.
> >
> > If you have received this email in error please notify
> Energis Integration Services Communications
> > IT department on +44 (0) 1494 476222..
> >
> --------------------------------------------------------------
> ---------------------------------------------
> >
> > VPN is sponsored by SecurityFocus.COM
> >
>
> VPN is sponsored by SecurityFocus.COM
>

-----------------------------------------------------------------------------------------------------------

This email is confidential and intended solely for the use of the individual to
whom it is addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of Energis Integration Services.
If you are not the intended recipient, be advised that you have received this
email in error and that any use, dissemination, forwarding, printing, or copying
of this email is strictly prohibited.

We have an anti-virus system installed on all our PC's and therefore any files
leaving us via e-mail will have been checked for known viruses.
Energis Integration Services accepts no responsibility once an e-mail
and any attachments leave us.

If you have received this email in error please notify Energis Integration Services Communications
IT department on +44 (0) 1494 476222..
-----------------------------------------------------------------------------------------------------------

VPN is sponsored by SecurityFocus.COM



From chavdar.parvanov at GOCIS.BG  Tue Jul 11 02:37:26 2000
From: chavdar.parvanov at GOCIS.BG (Chavdar Parvanov)
Date: Tue, 11 Jul 2000 09:37:26 +0300
Subject: global one vpn
Message-ID: <006001bfeb02$849b5ea0$2b10a8c0@tcenter.gocis.bg>

Does anybody has impressions of Global One MPLS VPN? What do you think of it.

regards,
Chavdar Parvanov
GOCIS Ltd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000711/253602d4/attachment.htm 

From bekoin at GLOBEACCESS.NET  Wed Jul 12 14:04:03 2000
From: bekoin at GLOBEACCESS.NET (Olivier Bekoin)
Date: Wed, 12 Jul 2000 18:04:03 +0000
Subject: L2TP/IPSec configuration
Message-ID: <396CB313.51EAF67C@globeaccess.net>

I want to implement L2TP/IPSec protocol to my windows 2000 server which
will be my VPN server.
If someone have already do this, can he share its experience.

Thanks

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Wed Jul 12 16:36:38 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Wed, 12 Jul 2000 16:36:38 -0400
Subject: need explanations
References: <3967520D.AA69FE9E@globeaccess.net>  <396A2924.25988598@storm.ca>
            <003e01bfeb7c$1c41f560$8a04b3d0@b2bstores.com>
Message-ID: <396CD6D6.BBA30BE7@storm.ca>

Darrin Mourer wrote:
>
> I'm researching the different types of encryption available for VPN's and
> there doesn't seem to be any good single point of reference for this exact
> type of information on bandwidth cost, comparisons, and cryptoanalysis
> tests/results. Any suggestions?

VPN Consortium at www.vpnc.org has a lot of good links.

My link collections for IPSEC and for more general crypto and security:

http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/links.ipsec.html
http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/links.crypto.html

The standard reference sites are COAST for computer security and
Peter Gutmann for crypto. Everything worth finding should be within
a couple of links of them. Links to them are in above pages.

VPN is sponsored by SecurityFocus.COM



From tbird at PRECISION-GUESSWORK.COM  Wed Jul 12 18:19:14 2000
From: tbird at PRECISION-GUESSWORK.COM (Tina Bird)
Date: Wed, 12 Jul 2000 17:19:14 -0500
Subject: need explanations
In-Reply-To: <396CD6D6.BBA30BE7@storm.ca>
Message-ID: <Pine.LNX.4.10.10007121718310.5448-100000@kuspy.phsx.ukans.edu>

There are a links to a couple of good performance
tests from the "General" page on the VPN web site:

http://kubarb.phsx.ukans.edu/~tbird/vpn.html

cheers -- tbird

On Wed, 12 Jul 2000, Sandy Harris wrote:

> Date: Wed, 12 Jul 2000 16:36:38 -0400
> From: Sandy Harris <sandy at STORM.CA>
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: need explanations
>
> Darrin Mourer wrote:
> >
> > I'm researching the different types of encryption available for VPN's and
> > there doesn't seem to be any good single point of reference for this exact
> > type of information on bandwidth cost, comparisons, and cryptoanalysis
> > tests/results. Any suggestions?
>
> VPN Consortium at www.vpnc.org has a lot of good links.
>
> My link collections for IPSEC and for more general crypto and security:
>
> http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/links.ipsec.html
> http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/links.crypto.html
>
> The standard reference sites are COAST for computer security and
> Peter Gutmann for crypto. Everything worth finding should be within
> a couple of links of them. Links to them are in above pages.
>
> VPN is sponsored by SecurityFocus.COM
>

"Doubt is an uncomfortable situation, but certainty is an
absurd one." -- Voltaire

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Thu Jul 13 00:09:43 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Wed, 12 Jul 2000 21:09:43 -0700
Subject: need explanations
References: <3967520D.AA69FE9E@globeaccess.net> <396A2924.25988598@storm.ca>
            <003e01bfeb7c$1c41f560$8a04b3d0@b2bstores.com>
Message-ID: <396D4107.E6EC46B7@pacbell.net>

There is so much information about cryptography out there
that it will take a lifetime to study it all...
Start with "Applied Cryptography" by Bruce Schneier.
Bandwith cost? Mmmm... try your ISP.

And so you know the results are quite null... Some encryption algorithms
have not been broken and they probably wont be in your lifetime!!

I would research implementations rather than cryptanalisys,  i think
that is the weakest point.

Cheers....

Jose Muniz

Darrin Mourer wrote:
>
> I'm researching the different types of encryption available for VPN's and
> there doesn't seem to be any good single point of reference for this exact
> type of information on bandwidth cost, comparisons, and cryptoanalysis
> tests/results. Any suggestions?
>
> tia
> darrin
> darrinm at mminternet.com

VPN is sponsored by SecurityFocus.COM



From carlsonmail at YAHOO.COM  Thu Jul 13 09:29:13 2000
From: carlsonmail at YAHOO.COM (Chris Carlson)
Date: Thu, 13 Jul 2000 06:29:13 -0700
Subject: global one vpn
Message-ID: <20000713132913.7016.qmail@web2304.mail.yahoo.com>

Chavdar,

I'm not sure specifically what Global One's service
actually is, but you should know that MPLS doesn't
specify encryption itself.

MPLS (Multi-Protocol Label Switching) is where an edge
device tags an IP packet so other MPLS-aware routers
can transparently route it like a VC, apply QoS to it,
and do other funky things.  It can almost appear like
a bridge since multiple hops through MPLS routers
appear to be like one hop from the edge device on one
end to the edge device on the other end.

If your requirements of a VPN include encryption,
message integrity, and authentication, then MPLS alone
won't do it.

That said, however, many companies (inlcuding my own)
are building MPLS backbones to enable QoS and SLAs for
encrypted VPN traffic.

In that case, rate the service on the merits of the
VPN solution itself and drive hard into what their
MPLS network is really giving you.

Good luck.
Chris
--

--- Chavdar Parvanov <chavdar.parvanov at GOCIS.BG>
wrote:
> Does anybody has impressions of Global One MPLS VPN?
> What do you think of it.
>
> regards,
> Chavdar Parvanov
> GOCIS Ltd
>
>


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail ? Free email you can access from anywhere!
http://mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM



From bet at RAHUL.NET  Thu Jul 13 11:09:00 2000
From: bet at RAHUL.NET (Bennett Todd)
Date: Thu, 13 Jul 2000 11:09:00 -0400
Subject: need explanations
In-Reply-To: <003e01bfeb7c$1c41f560$8a04b3d0@b2bstores.com>; from
              darrinm@MMINTERNET.COM on Tue, Jul 11, 2000 at 02:08:06PM -0700
References: <3967520D.AA69FE9E@globeaccess.net> <396A2924.25988598@storm.ca>
            <003e01bfeb7c$1c41f560$8a04b3d0@b2bstores.com>
Message-ID: <20000713110900.B489@oven.com>

2000-07-11-17:08:06 Darrin Mourer:
> I'm researching the different types of encryption available for
> VPN's and there doesn't seem to be any good single point of
> reference for this exact type of information on bandwidth cost,
> comparisons, and cryptoanalysis tests/results. Any suggestions?

Bruce Schneier's "Applied Cryptography" should probably be your
starting point. It's a really good review of the field.

But I can sum it up for you. To a useful approximation, the _major_
cryptographic algorithms can be partitioned a few ways, on a few
different criteria, and that provides all the understanding a
consumer of crypto needs. First off, there is algorithm type:

- Symmetric cypher: takes a "key", which is a secret, and uses it to
  scramble some data. The same key can they be used to undo the
  scramble and recover the original data. Modern ones are very very
  fast, to the point of a handful of clock cycles per byte
  encrypted. Keys end up needing to be brute forced; well-designed
  cyphers provide no easier way to crack a key.

- Assymetric cypher, also called Public Key cryptosystem: uses two
  keys. One encrypts, the other decrypts. It could be, depending on
  the algorithm, that _either_ key can encrypt and the other be used
  to decrypt. One of the keys can be published, and the other cannot
  be deduced from it. These are very slow to encrypt and decrypt,
  and the key sizes needed are huge; the sorts of problems used to
  produce these remarkable cyphers leave key-cracking techniques
  that are like factoring primes: their difficulty grows with
  keysize, but not nearly as fast as brute-force. These performance
  costs mean that assymetric cyphers are used to encrypt small,
  fixed-length blocks which are then used in other ways. To encrypt
  a bulk file, the encryptor will generate a random key for a
  symmetric cypher, encrypt the random key with the public-key
  algorithm, then use the symmetric cypher to encrypt the data. For
  digital signatures, the signer will encrypt a cryptographic hash
  (see next category).

- Cryptographic hash, AKA message digest: this is a function that
  takes an arbitrary-length block of input, and produces a compact
  fixed-length output. It has the property that the output is too
  long for someone to randomly try creating inputs until they find
  one whose hash matches a specific chosen hash (brute force
  attack), and that the output reveals nothing of the input. There's
  no algorithmic way to compute a modification needed to make a
  given input match a given hash; holding a hash in your posession
  reveals nothing about the input that produced that hash.

These are the basic algorithmic building blocks; crypto _protocols_
are then assembled from these. A protocol is a series of operational
steps involving passing messages, applying various cryptographic
algorithms, generating random bits, comparing things, etc. It
provides a specific high-level function, like e.g. "secure email",
"secure web browsing", or "VPN tunnel".

Besides the classification of _type_ of algorithm (symmetric,
assymetric, or hash), there are a couple of other criteria to
classify crypto. The next most obvious and straightforward applies
to the cyphers each in their own way, and in a sense to the hashes
as well, and that is key size. For symmetric cyphers, where the only
way to try and crack the cypher is brute force, 128 bits is
sufficient. Nothing wrong with having more, it's just not needed. 64
bits is not sufficient. The assymetric algorithms are a little
harder to blanket with such sweeping statements, since they have
different scaling of difficulty as a function of keysize from one
algorithm to the next. The most-discussed such algorithm would be
RSA. Today a 1024-bit RSA key hasn't been broken, but at the rate
things are progressing it's not outlandish to fantasize that one
might be. 2048-bit RSA keys are comparable in strength to 128-bit
symmetric keys: they won't be cracked unless some revolution
completely changes the rules --- a possibility that hasn't been
proven impossible for any of the assymetric cryptosystems. As for
crypto hashes, the equivalent concept to key length is hash size;
assuming the hash itself is strong, it just needs to produce at
least 128 bits of output and nobody will succeed in "breaking" it
(finding a second input that matches an output produced by some
other input).

The final basis for comparing crypto is I think the one you really
meant, and interestingly it's the least prominent or interesting
in protocol and software engineering today: that's the actual
quality of the various algorithms. Cryptanalysts like Bruce Schneier
specialize in that work; the rest of us just build on their
efforts. There are a handful of algorithms in each category that
rule. New algorithms are added to the stable at a very slow and
measured pace; old algorithms are evicted, although only rarely.

Today you can encrypt with Triple-DES, IDEA, Blowfish, or a few
other algorithms, with confidence that the cryptosystem itself won't
fail you; if you have a problem it'll lie elsewhere, like in key
management. IDEA is patented, so people these days tend towards
other cyphers. The AES project is pursuing a successor to DES, and
at this point it probably wouldn't be too dumb if you were to use
any of the surviving AES candidates.

You can get a big help in key management by using a good assymetric
cryptosystem; RSA, based on factoring numbers that are the product
of two large primes, has been the most popular for some time, it's
probably the most intensely analyzed of the lot, and since its
patent expires in just over 11 weeks, the final big barrier to using
it is falling at last. Meanwhile Diffie-Hellman, an older algorithm,
has had its patent expire already, so people are using that rather
a lot these days. Diffie-Hellman is based on discrete logarithms;
a varient over elliptic fields is being pushed by folks like some
smart-card vendors, since to date people haven't been as successful
in attacking its keys, and so at least today it seems to be able to
get by with far shorter keys. Time will tell whether Diffie-Hellman
over elliptic fields is _actually_ stronger with shorter key
lengths, or whether that apparent strength fades as the mathematics
of the system are better studied. 

And there are a couple of hashes that command most of the respect.
The old favourite was MD5, but it has been more and more closely
analyzed people have found theoretical potential for believing it
may have weaknesses (specifically, "weakened" varients of it have
been shown to have more problems than analysts would ideally like),
and so a newer one called SHA has gained much favour.

Now with that sort of picture of the field, it becomes obvious that
crypto algorithms are easy, a done deal, as far as us consumers are
concerned. Pick one from column A and two from column B. Do not even
consider any crypto algorithm, or any package that uses one, that's
not a name-brand algorithm from the short list. Done.

Where the work remains most active is in crypto protocol design:
how the algorithms are being used. In the specific setting of VPN
choice, this really narrows things down all the way. You do _Not_
want to waste your effort on a VPN whose crypto isn't built with
name-brand algorithms. That doesn't end up ruling out anything of
course:-). So this means you want either (a) a VPN whose crypto
protocol is utterly trivial, or (b) one whose protocol has been
subject to really protracted and extensive public scrutiny, and
has held up to it. There are plenty of examples of category (a);
commercial and open-source software packages, and hardware boxes,
that use a well-known simple symmetric cypher to protect the
traffic, with pre-arranged keys (i.e. manual key setup, shared
secret). In category (b), there are two noteworthy examples; IPSec,
which is also the crypto protocol suite for ipv6, is a well-analyzed
multi-vendor standard. It's a little more complex than might be
ideal for some applications, but then it's intended to be able to
address _all_ applications, so that explains away the complexity:-).
Then of course Microsoft came out with their own solution, PPTP,
and it's as good as you'd expect. It's been repeatedly analyzed and
found wanting; see <URL:http://www.counterpane.com/pptp.html>.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000713/53da6016/attachment.pgp 

From bet at RAHUL.NET  Thu Jul 13 15:18:10 2000
From: bet at RAHUL.NET (Bennett Todd)
Date: Thu, 13 Jul 2000 15:18:10 -0400
Subject: need explanations
In-Reply-To: <20000713110900.B489@oven.com>; from bet@RAHUL.NET on Thu,
              Jul 13, 2000 at 11:09:00AM -0400
References: <3967520D.AA69FE9E@globeaccess.net> <396A2924.25988598@storm.ca>
            <003e01bfeb7c$1c41f560$8a04b3d0@b2bstores.com>
            <20000713110900.B489@oven.com>
Message-ID: <20000713151810.H4230@oven.com>

2000-07-11-17:08:06 Darrin Mourer:
> I'm researching the different types of encryption available for
> VPN's and there doesn't seem to be any good single point of
> reference for this exact type of information on bandwidth cost,
> comparisons, and cryptoanalysis tests/results. Any suggestions?

It's always bad form to followup your own posts, but as usual in
such cases, when I read my followup I realized that I hadn't
addressed much of the question as posed.

In terms of bandwidth cost, it shouldn't be much for any VPN; a
reasonable VPN design might compress the data before encrypting it,
partly for the performance win and partly to make cryptanalysis
harder still. If so, then there should be a bandwidth win to the
VPN, unless it's carried over links that would otherwise compress
the traffic, in which case the bandwidth consumption difference
should be negligible. If on the other hand the VPN does not compress
the payload, and something else on the links would have compressed
the traffic if it could have, then the incompressibility of
encrypted traffic would be a bandwidth hit, whose severity would be
the compression efficiency that has been lost. Real-time stream
compression algorithms, suitable for link-level compression, rarely
exceed 2:1 unless the underlying traffic happens to be unusually
compressible --- big blocks of NULs or whatever. So there can be a
hit in this one case, usually not too awful.

Rather than bandwidth the question might be performance. For speeds
in excess of DS3 (c. 45Mbps), an exceptionally good implementation
of crypto on an exceptionally hot processor might be needed, or a
hardware implementation might be in order. These are available. In
the neighborhood of 10Mbps--DS3, I'd expect a decent implementation
on a modern CPU to keep up no problems. Below 10Mbps there shouldn't
be a performance issue with the crypto.

Then there's the overall performance of the VPN solution. The
single most critical factor I know of in that topic
is nicely, even elegantly addressed in the article
"Why TCP Over TCP Is A Bad Idea", available from
<URL:http://sites.inka.de/sites/bigred/devel/tcp-tcp.html>. Don't
look to PPP-over-ssh, vpnd, or any other solution that tunnels IP
over a TCP link to do VPN, if performance is a concern --- unless
the underlying link has nearly perfectly consistent and uniform
performance with neglible losses or variations in latency. I.e. it
may be reasonable on a purely dedicated link, if you can actually
find a competant provider to buy your bandwidth from, but don't try
it over the internet:-).

As for cryptanalysis, that would divide into two parts; the
algorithms and protocols used should be worthy (that's the only
thing I addressed in my previous tract), and the implementation
needs to be good. When I want a good implementation, I go to open
source, since there's at least a chance that the code in question
might actually get the auditing it seriously needs. Other people
look for their reassurance in other ways.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000713/354a35cb/attachment.pgp 

From roland.moos at DANET-CONSULT.DE  Fri Jul 14 04:06:47 2000
From: roland.moos at DANET-CONSULT.DE (Roland Moos)
Date: Fri, 14 Jul 2000 10:06:47 +0200
Subject: AW: global one vpn
Message-ID: <9CCBB97BDC27D311A46900A0C9EBE2A104AD7D@intranet.danet-consult.de>

Hi,

I do not know many specifics about GO Intranet VPN service.

I know from a reliable source, that the service was announced in August 1999
first, but could not be implemented due to software problems, so actually
October/November 1999 was the date of establischment.

GO's VPN service is MPLS based, thats true, but I think it is based on CISCO
Tag Switching rather than true MPLS.

I had a project, where a customer wanted to replace its leased line backbone
an required high bandwidth. GO is restricted to 2 Mbps access speed, which
was not sufficient in this project. So if you consider GO, ask about
possible access speeds.

GO uses "MPLS", but does a few month ago not consider IPSec for its service,
so encryption and authentication can not be supported by GO. Ask this also,
if still philosophy.

Hope this helps.

Regards

Roland Moos
Senior Consultant

-----Urspr?ngliche Nachricht-----
Von: Chris Carlson [mailto:carlsonmail at YAHOO.COM]
Gesendet am: Donnerstag, 13. Juli 2000 15:29
An: VPN at SECURITYFOCUS.COM
Betreff: Re: global one vpn

Chavdar,

I'm not sure specifically what Global One's service
actually is, but you should know that MPLS doesn't
specify encryption itself.

MPLS (Multi-Protocol Label Switching) is where an edge
device tags an IP packet so other MPLS-aware routers
can transparently route it like a VC, apply QoS to it,
and do other funky things.  It can almost appear like
a bridge since multiple hops through MPLS routers
appear to be like one hop from the edge device on one
end to the edge device on the other end.

If your requirements of a VPN include encryption,
message integrity, and authentication, then MPLS alone
won't do it.

That said, however, many companies (inlcuding my own)
are building MPLS backbones to enable QoS and SLAs for
encrypted VPN traffic.

In that case, rate the service on the merits of the
VPN solution itself and drive hard into what their
MPLS network is really giving you.

Good luck.
Chris
--

--- Chavdar Parvanov <chavdar.parvanov at GOCIS.BG>
wrote:
> Does anybody has impressions of Global One MPLS VPN?
> What do you think of it.
>
> regards,
> Chavdar Parvanov
> GOCIS Ltd
>
>


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Fri Jul 14 14:42:54 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Fri, 14 Jul 2000 20:42:54 +0200
Subject: global one vpn
In-Reply-To: <20000713132913.7016.qmail@web2304.mail.yahoo.com>
Message-ID: <4.2.0.58.20000714204032.00a00800@brussels.cisco.com>

May I add a few words on Chris' valid comments ?

MPLS VPN adds value to the plain MPLS by allowing
multiple networks (with their own IP addressing) to share
the same MPLS cloud. This provides for traffic separation
(something vaguely similar to VLAN for the wide area)
but no encryption.

If you want confidentiality or integrity, it is quite
common to use the combination of MPLS VPN (for efficiency,
traffic engineering, QoS, ...) together with IPSec.

-eric

At 06:29 13/07/2000 -0700, Chris Carlson wrote:
>Chavdar,
>
>I'm not sure specifically what Global One's service
>actually is, but you should know that MPLS doesn't
>specify encryption itself.
>
>MPLS (Multi-Protocol Label Switching) is where an edge
>device tags an IP packet so other MPLS-aware routers
>can transparently route it like a VC, apply QoS to it,
>and do other funky things.  It can almost appear like
>a bridge since multiple hops through MPLS routers
>appear to be like one hop from the edge device on one
>end to the edge device on the other end.
>
>If your requirements of a VPN include encryption,
>message integrity, and authentication, then MPLS alone
>won't do it.
>
>That said, however, many companies (inlcuding my own)
>are building MPLS backbones to enable QoS and SLAs for
>encrypted VPN traffic.
>
>In that case, rate the service on the merits of the
>VPN solution itself and drive hard into what their
>MPLS network is really giving you.
>
>Good luck.
>Chris
>--
>
>--- Chavdar Parvanov <chavdar.parvanov at GOCIS.BG>
>wrote:
> > Does anybody has impressions of Global One MPLS VPN?
> > What do you think of it.
> >
> > regards,
> > Chavdar Parvanov
> > GOCIS Ltd
> >
> >
>
>
>__________________________________________________
>Do You Yahoo!?
>Get Yahoo! Mail ? Free email you can access from anywhere!
>http://mail.yahoo.com/
>
>VPN is sponsored by SecurityFocus.COM 

Eric Vyncke                        
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From man-h at NETCOURRIER.COM  Mon Jul 17 18:00:23 2000
From: man-h at NETCOURRIER.COM (MaN-H)
Date: Tue, 18 Jul 2000 00:00:23 +0200
Subject: prioritization and IP VPN
Message-ID: <006c01bff03a$6afd5560$0400a8c0@upsylon>

We want to implement a site to site connectivity using the CISCO IP VPN solution
(IPSec tunnels, ESP).
The problem is that we want to prioritize some applications (Citrix, VoIP).
We have successfully tested the PacketShaper product provided buy Packeeter set
before each CPE.
Has somebody  tested another solution, can he share his experience ?

MaN-H

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Tue Jul 18 01:47:39 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Tue, 18 Jul 2000 07:47:39 +0200
Subject: prioritization and IP VPN
In-Reply-To: <006c01bff03a$6afd5560$0400a8c0@upsylon>
Message-ID: <4.2.0.58.20000718073822.00a4f6a0@brussels.cisco.com>

First have a look at my email address to detect any bias ;-)

As you know, there are a couple of ways to implement quality of services:
- diff-serv: coloring IP packets with precedence/DSCP and having all
   routers and switches to apply different shaping/scheduling/dropping on
   the data paths.
- int-serv: using a out-of-band signaling called RSVP to signal the requested
   bandwidth/delay on all the routers and switches on the way
- proprietary (but useful in some configurations) tricks like TCP window pacing

diff-serv and int-serv need to be implemented in the majority of the routers/switches
to be efficient. Hence, they are usually reserved for SP network and/or enterprise
network. They are useless over the Internet.

The TCP window pacing works over an unmanaged networks like the Internet but
has other drawbacks (this is where my vendor bias can be smelled).

Anyway, IPSec works fine with diff-serv. More specifically with Cisco IOS IPSec,
the precedence color is kept after encryption and all QoS mechanism (except
WFQ in most cases) works with encrypted packets. I have designed about half of
dozens of network using this capability, and, QoS is indeed enforced ;-)

AFAIK, int-serv is broken after IPSec.

TCP window pacing should still work provided that the pacing is applied on
the clear text TCP connection (outside of IPSec tunnel)

Hope this helps

-eric

At 00:00 18/07/2000 +0200, MaN-H wrote:
>We want to implement a site to site connectivity using the CISCO IP VPN solution
>(IPSec tunnels, ESP).
>The problem is that we want to prioritize some applications (Citrix, VoIP).
>We have successfully tested the PacketShaper product provided buy Packeeter set
>before each CPE.
>Has somebody  tested another solution, can he share his experience ?
>
>MaN-H
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Tue Jul 18 01:05:49 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Mon, 17 Jul 2000 22:05:49 -0700
Subject: prioritization and IP VPN
References: <006c01bff03a$6afd5560$0400a8c0@upsylon>
Message-ID: <3973E5AD.4ED9839F@pacbell.net>

Do not use CISCO for IPSec, it is slow and a bit buggy..
Try asics for your VPN.

Jose Muniz

MaN-H wrote:
>
> We want to implement a site to site connectivity using the CISCO IP VPN solution
> (IPSec tunnels, ESP).
> The problem is that we want to prioritize some applications (Citrix, VoIP).
> We have successfully tested the PacketShaper product provided buy Packeeter set
> before each CPE.
> Has somebody  tested another solution, can he share his experience ?
>
> MaN-H
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From sruffin at LUCENT.COM  Tue Jul 18 10:16:47 2000
From: sruffin at LUCENT.COM (Ruffin, Sam (Sam)** CTR **)
Date: Tue, 18 Jul 2000 10:16:47 -0400
Subject: vpn using 2000 server
Message-ID: <5CB32D2B7DECD111AEA200805F95D60F0429A718@NJ0117EXCH001U>

Hi, I have been trying to set up vpn using windows 2000 server at my home
through cable modem.  So far I have not had much success with it.  Is there
anyone who has done vpn with 2000 and has any advice as to how to make it
work?  I am thinking that there is some configuration that I amy be missing.
This is my first time setting up any form of vpn.  Thanks.

VPN is sponsored by SecurityFocus.COM



From jonathan.zivan at HUBX.NET  Tue Jul 18 16:51:35 2000
From: jonathan.zivan at HUBX.NET (Jon Zivan)
Date: Tue, 18 Jul 2000 16:51:35 -0400
Subject: What are the differences between the Nortel Contivity VPN Switch
              and the Cisco Altiga or 5000 box?
Message-ID: <000801bff0f9$f60d8f70$1101a8c0@office5>

Here is a candidate for the FAQ:

What are the differences between the Nortel Contivity VPN Switch and the Cisco Altiga or 5000 box?

I have been doing some research for my company and it is still unclear to me if there are any significant differences between the two.

Also, the Nortel and Cisco boxes seem to be rated by how many clients they can terminate. Dose anyone know how many clients PopToP can terminate with, say, a pIII 500 128mb box?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000718/5bf07118/attachment.htm 

From jonc at HAHT.COM  Tue Jul 18 19:31:33 2000
From: jonc at HAHT.COM (Jon Carnes)
Date: Tue, 18 Jul 2000 19:31:33 -0400
Subject: What are the differences between the Nortel Contivity VPN
              Switch             and the Cisco Altiga or 5000 box?
References: <000801bff0f9$f60d8f70$1101a8c0@office5>
Message-ID: <01b001bff110$60e95b60$6803010a@dhcp.haht.com>

That would really depend on the bandwidth each connection needs...  I would guess that under normal load, your box could handle about 15 users connecting to it via highspeed internet connections (Cable modem/DSL/T1).   Or about 45 users connecting via modem to the internet.

Using as an estimate the bandwidth from the users at my Corporation... 

The limiting factor is probably the memory.  You should at least double it.

Jon Carnes
HAHT Commerce

  ----- Original Message ----- 
  From: Jon Zivan 
  To: VPN at SECURITYFOCUS.COM 
  Sent: Tuesday, July 18, 2000 4:51 PM
  Subject: What are the differences between the Nortel Contivity VPN Switch and the Cisco Altiga or 5000 box?


  Here is a candidate for the FAQ:

  What are the differences between the Nortel Contivity VPN Switch and the Cisco Altiga or 5000 box?

  I have been doing some research for my company and it is still unclear to me if there are any significant differences between the two.

  Also, the Nortel and Cisco boxes seem to be rated by how many clients they can terminate. Dose anyone know how many clients PopToP can terminate with, say, a pIII 500 128mb box?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000718/1c358dbd/attachment.htm 

From carlsonmail at YAHOO.COM  Wed Jul 19 09:44:34 2000
From: carlsonmail at YAHOO.COM (Chris Carlson)
Date: Wed, 19 Jul 2000 06:44:34 -0700
Subject: What are the differences between the Nortel Contivity VPN
              Switch             and the Cisco Altiga or 5000 box?
Message-ID: <20000719134434.19438.qmail@web2304.mail.yahoo.com>

I would have to say that Nortel Contivity and Altiga
are very similar.  They both terminate other VPN
sessions besides IPSec; they do PPTP, L2TP, and
Windows 2000's L2TP/IPSec hybrid.  Plus they do branch
office tunnels.

You're going to find that it's the little differences
between the two and how they map to your network and
security policies that makes or break a candidate.

Check out those details closely.  I like the
Contivity's ability to push DNS and WINS settings from
the server to the client at connection time, plus the
ability to seamlessly use RADIUS for client
authentication and as a proxy to SecurID, NT domains,
etc.  Look for the details!

Two words about Altiga: I'm not sure if Mike Dews of
Cisco would disagree :-), but when any company gets
acquired, the transition into the larger company
causes circa a 6 month disruption.  Cisco acquired
Altiga and Compatible recently and is trying to hard
integrate them and consolidate to one VPN client.  I'm
concerned about that.

I know for a fact that when Nortel bought Bay Networks
which bought New Oak for the Contivity product, they
lost 4-6 months of development and feature updates.
But that was a year ago and I think they're back on
track.

And a year ago, a little birdie friend of mine at
Altiga told me that they weren't as good as the
Contivity.  Heck, Altiga was running a promo where
they BOUGHT back your Contivity if you purchased an
Altiga box.  Talk about running scared!  Take that for
what it's worth...  :-)

I strongly suggest that when you narrow down your
choices via research, get them into your lab, test
network, or alpha test on your production network and
hammer at them head to head.

One other thing:  Really focus on the IPSec client.
Unless you decide to use PPTP or Windows 2000, the
IPSec client will cause most of your headaches from a
support perspective: fulfillment, installation,
configuration, support, client "breaking" other apps,
other apps "breaking" the client, etc.

Good luck!  Keep us in the loop on what you selected!

Chris
--

>   ----- Original Message -----
>   From: Jon Zivan
>   To: VPN at SECURITYFOCUS.COM
>   Sent: Tuesday, July 18, 2000 4:51 PM
>   Subject: What are the differences between the
> Nortel Contivity VPN Switch and the Cisco Altiga or
> 5000 box?
>
>
>   Here is a candidate for the FAQ:
>
>   What are the differences between the Nortel
> Contivity VPN Switch and the Cisco Altiga or 5000
> box?
>
>   I have been doing some research for my company and
> it is still unclear to me if there are any
> significant differences between the two.
>
>   Also, the Nortel and Cisco boxes seem to be rated
> by how many clients they can terminate. Dose anyone
> know how many clients PopToP can terminate with,
> say, a pIII 500 128mb box?
>
>
>
>


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail ? Free email you can access from anywhere!
http://mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM



From cindy_slosar at YAHOO.CA  Wed Jul 19 13:00:18 2000
From: cindy_slosar at YAHOO.CA (Cindy Slosar)
Date: Wed, 19 Jul 2000 13:00:18 -0400
Subject: Uploading across the VPN
Message-ID: <20000719170018.18731.qmail@web1506.mail.yahoo.com>

Hi,

Is anyone else having problems uploading files across
a VPN?  I can't seem to figure out what the problem
is.  I get an error saying "Cannot copy filename:  The
specified network name is no longer available."  I can
download files no problem.

Thanks in advance.

Cindy

_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca

VPN is sponsored by SecurityFocus.COM



From zarling at BERBEE.COM  Wed Jul 19 13:48:33 2000
From: zarling at BERBEE.COM (Eric Zarling)
Date: Wed, 19 Jul 2000 12:48:33 -0500
Subject: Uploading across the VPN
In-Reply-To: <20000719170018.18731.qmail@web1506.mail.yahoo.com>
Message-ID: <4.2.0.58.20000719124029.00a7ae20@berbee.com>

What you are probably seeing is an MTU issue.  Are you using a VPN client
or VPN router or gateway?  I have come across an issue with uploading files
through a Cisco router running DES.  What happens the router needs to
fragment the IP packet because of the encryption overhead, the OS (in this
case Microsoft) sets the "Do not Fragment" bit on.  The router will not
breakup the packet and will send what basically is a host unreachable ICMP
packet back the machine and it will error out.

The work around for this is to set the MTU lower than 1500.  I set the MTU
to 1400 and it works fine.

The only issue I have come across iwith certain NIC cards is where this can
be set.  It usually is a registry setting.  But I have been fighting with
Xircom on whose responsibility it is to set the MTU.  Xircom claims it is a
Microsoft setting.  With other NICs (3COM), I have set it in the registry
under the NIC entry.

Give this a shot and let me know what happens,

Eric


At 01:00 PM 7/19/2000 -0400, Cindy Slosar wrote:
>Hi,
>
>Is anyone else having problems uploading files across
>a VPN?  I can't seem to figure out what the problem
>is.  I get an error saying "Cannot copy filename:  The
>specified network name is no longer available."  I can
>download files no problem.
>
>Thanks in advance.
>
>Cindy
>
>_______________________________________________________
>Do You Yahoo!?
>Get your free @yahoo.ca address at http://mail.yahoo.ca
>
>VPN is sponsored by SecurityFocus.COM

Eric Zarling CCIE #5499 <zarling at berbee.com>
Berbee
N14 W23833 Stone Ridge Drive, Suite 300
Waukesha, Wisconsin 53188
DID 262.521.5626, Main 262.523.5800 FAX: 262.523.5803

Berbee...putting the E in business

VPN is sponsored by SecurityFocus.COM



From jrdepriest at FTB.COM  Wed Jul 19 13:37:39 2000
From: jrdepriest at FTB.COM (DePriest, Jason R.)
Date: Wed, 19 Jul 2000 12:37:39 -0500
Subject: Uploading across the VPN
Message-ID: <AB4C55B3A9BAD1118E3D000629B2512201CE80C5@exchange3.here4you.com>

I receive a similar error when trying to map to network drives through the
VPN.

The log shows excessive time outs that I cannot account for.

I am using Axent's PowerVPN 6.5 with RaptorMobile on a Windows 2000
Professional machine.

Thank you!

Jason R DePriest, Network and Systems Administrator
First Tennessee National Corporation
InterActive Services Department
ph: 901/523-5777, fax: 901/523-5527
email: jrdepriest at ftb.com

Disclaimer:
The views expressed in this message, while not necessarily the views of
First Tennessee, are none-the-less confidential and not to be freely
distributed to external sources without explicit permission from the sender
of this message or from First Tennessee National Corporation.

"I have never let my schooling interfere with my education."
- Mark Twain


=> -----Original Message-----
=> From: Cindy Slosar [mailto:cindy_slosar at YAHOO.CA]
=> Sent: Wednesday, July 19, 2000 12:00 PM
=> To: VPN at SECURITYFOCUS.COM
=> Subject: Uploading across the VPN
=>
=>
=> Hi,
=>
=> Is anyone else having problems uploading files across
=> a VPN?  I can't seem to figure out what the problem
=> is.  I get an error saying "Cannot copy filename:  The
=> specified network name is no longer available."  I can
=> download files no problem.
=>
=> Thanks in advance.
=>
=> Cindy
=>
=> _______________________________________________________
=> Do You Yahoo!?
=> Get your free @yahoo.ca address at http://mail.yahoo.ca
=>
=> VPN is sponsored by SecurityFocus.COM
=>

VPN is sponsored by SecurityFocus.COM



From pete at ETHER.NET  Wed Jul 19 13:42:31 2000
From: pete at ETHER.NET (Pete Davis)
Date: Wed, 19 Jul 2000 13:42:31 -0400
Subject: What are the differences between the Nortel Contivity VPN
              Switch             and the Cisco Altiga or 5000 box?
In-Reply-To: <20000719134434.19438.qmail@web2304.mail.yahoo.com>
References: <20000719134434.19438.qmail@web2304.mail.yahoo.com>
Message-ID: <20000719134231.A8545@ether.net>

Chris,

The Cisco VPN 3000 Client formerly Altiga Networks has always had support
for DNS, WINS assignment from the server upon connection and supports
SecurID, NT Domains, RADIUS, etc for authentication as well.

Best Regards,
-pete


On Wed, Jul 19, 2000 at 06:44:34AM -0700, Chris Carlson wrote:
> Check out those details closely.  I like the
> Contivity's ability to push DNS and WINS settings from
> the server to the client at connection time, plus the
> ability to seamlessly use RADIUS for client
> authentication and as a proxy to SecurID, NT domains,
> etc.  Look for the details!

---
     Pete Davis - Product Manager <psd at cisco.com>  (508) 541-7300 x6154
   Cisco Systems, Inc.  - 124 Grove Street Suite 205   Franklin, MA 02038

VPN is sponsored by SecurityFocus.COM



From SCundall at ARIBA.COM  Wed Jul 19 18:14:54 2000
From: SCundall at ARIBA.COM (Steve Cundall)
Date: Wed, 19 Jul 2000 15:14:54 -0700
Subject: What are the differences between the Nortel Contivity VPN Swi
              tch             and the Cisco Altiga or 5000 box?
Message-ID: <19A187F26DD4D311949F009027E28ACE7E10DE@us-mtvmail3.ariba.com>

One little note to the list, we were testing the Altiga switch using NT
authentication and found that the PPTP tunnels do NOT come up encrypted
using that type of authentication (the authentication is encrypted, but not
the tunnel). Even using RADIUS, there are only a few RADIUS servers that
allow PPTP encryted tunnels to work (interestingly enough, Cisco's RADIUS
server doesn't work, but they are supposed to be fixing that soon). They
have suggested we use Microsoft's RADIUS server or Steel Belted RADIUS.
Messy, messy. Overall the Altiga client interested us, since they just
release a version that runs IPsec through NAT (which is VERY important to
us). I know that Contivity is working on that, but not sure if its available
today.

Regards,

Steve

-----Original Message-----
From: Pete Davis [mailto:pete at ETHER.NET]
Sent: Wednesday, July 19, 2000 10:43 AM
To: VPN at SECURITYFOCUS.COM
Subject: Re: What are the differences between the Nortel Contivity VPN
Switch and the Cisco Altiga or 5000 box?


Chris,

The Cisco VPN 3000 Client formerly Altiga Networks has always had support
for DNS, WINS assignment from the server upon connection and supports
SecurID, NT Domains, RADIUS, etc for authentication as well.

Best Regards,
-pete


On Wed, Jul 19, 2000 at 06:44:34AM -0700, Chris Carlson wrote:
> Check out those details closely.  I like the
> Contivity's ability to push DNS and WINS settings from
> the server to the client at connection time, plus the
> ability to seamlessly use RADIUS for client
> authentication and as a proxy to SecurID, NT domains,
> etc.  Look for the details!

---
     Pete Davis - Product Manager <psd at cisco.com>  (508) 541-7300 x6154
   Cisco Systems, Inc.  - 124 Grove Street Suite 205   Franklin, MA 02038

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From PaulD at DUGAS.COM  Thu Jul 20 09:51:46 2000
From: PaulD at DUGAS.COM (Paul Dugas)
Date: Thu, 20 Jul 2000 09:51:46 -0400
Subject: Any news on Contivity client for Win2k?
Message-ID: <HJEDJNIKLPDADEKFIDNCEECLCLAA.PaulD@Dugas.COM>

Hi all,

Just wondering if anyone out there has heard anything about the beta testing
of Nortel's new Extranet Access Client for Win2000 machines.  A guy at
SuperCom in Atlanta said it'd be in beta for "a couple weeks" then released
assuming nothing major shows  up.  Sounded like BS to me.  Anyway, 6 weeks
later, has anybody heard anything about an official release date?

TIA,

-- Paul
______________________________________________________________________
Paul A. Dugas, Computer Engineer        email: pauld at dugas.com
Dugas Enterprises, LLC                  phone: (404) 932-1355
1711 Indian Ridge Drive                 fax  : (770) 516-4841
Woodstock, GA 30189 USA                 web  : http://pauld.dugas.com/

VPN is sponsored by SecurityFocus.COM



From jason.zann at MARYVILLE.COM  Thu Jul 20 10:18:28 2000
From: jason.zann at MARYVILLE.COM (Jason Zann)
Date: Thu, 20 Jul 2000 09:18:28 -0500
Subject: VPNs and WAP.
Message-ID: <C36304FE952AD411AC870020941203383C9DF4@MTMAIL>

I have been hunting down WAP security issues for the past 6 months or so and
I have one issue that I am finding nearly impossible to get a straight
answer about. I realize that my question is on the edge of what this mailing
list is designed for, but none the less, I feel it to be very important
(read: please bare with me).

Background:
As many applications and functions race to have their data more and more
available, the obvious outlet seems to be a WAP enabled devices (PDAs,
digital phones, and the like). As far as informational based transfers
(stock quotes, buying prices, and so on) I really am not worried. Now with
personal / corporate information (emails, financial information, ...) I am
finding difficulty understanding how the integrity of this information is
handled. I feel confident in the fact that from the personal device to the
'mobile network' (SprintPCS, palmnet, etc.) the information is secure from
the personal device to the network (that is secure from the proverbial
hacker, but not SprintPCS or palmnet for obvious reasons, namely because
they 'own' the network!). I am still in question as to what is available to
protect sensitive information that travels out of the 'secure network of PCS
or palmnet' to individual corporate WAP gateways. It would seem to me that
this would be an opportune place (between PCS / palmnet and the WAP gateway)
for an attacker to sit and intercept all information that is being
transmitted.

Wireless browsers in the US (to the best of my knowledge) cannot support
digital certificates because of the size of an x.509v3 cert. I would view
this as the easiest course of action to solve my dilemma (I am using the
logic that browsers have SSL, and the equivalent needs to be available in
the mobile world). I know that Ericson recalled tens of thousands of phones
in Europe to actually put certs on them; but, I never fully heard what the
reason / result was. I also know that Baltimore is suppose to be a market
leader with their WTLS developments, but once again, I have been unable to
generate any answers has to how this will solve my issue. An RSA logo comes
up on some PCS phones when they are powered up, but no information is
provided for what RSA is doing for PCS (I am referring to the technical
side, not the market blitz).

With no further introduction, here is my question... What, if anything is
available for end to end security (integrity of the data being transferred)
from a PDA / digital phone to a WAP gateway?


Zann

VPN is sponsored by SecurityFocus.COM



From rgm at ICSA.NET  Thu Jul 20 13:23:38 2000
From: rgm at ICSA.NET (Robert Moskowitz)
Date: Thu, 20 Jul 2000 13:23:38 -0400
Subject: VPNs and WAP.
In-Reply-To: <C36304FE952AD411AC870020941203383C9DF4@MTMAIL>
Message-ID: <4.3.2.7.2.20000720131659.00e0ccd0@homebase.htt-consult.com>

At 09:18 AM 7/20/2000 -0500, Jason Zann wrote:

My  latest conversation with Baltimore people is that they have only gotten
the WAP people to put the URL for the cert and private key location (on the
WAP server) in the phones.  The phones it seems does not have the umph to
do public key operations on the phones.  At least not the ones out
today.  Stephen Farrel showed my the smart card in his phone and said all
it had was the URL in it.  No certs.

so this limits WAP usage of security significantly  for the current
generation of phones.

:(

>I have been hunting down WAP security issues for the past 6 months or so and
>I have one issue that I am finding nearly impossible to get a straight
>answer about. I realize that my question is on the edge of what this mailing
>list is designed for, but none the less, I feel it to be very important
>(read: please bare with me).
>
>Background:
>As many applications and functions race to have their data more and more
>available, the obvious outlet seems to be a WAP enabled devices (PDAs,
>digital phones, and the like). As far as informational based transfers
>(stock quotes, buying prices, and so on) I really am not worried. Now with
>personal / corporate information (emails, financial information, ...) I am
>finding difficulty understanding how the integrity of this information is
>handled. I feel confident in the fact that from the personal device to the
>'mobile network' (SprintPCS, palmnet, etc.) the information is secure from
>the personal device to the network (that is secure from the proverbial
>hacker, but not SprintPCS or palmnet for obvious reasons, namely because
>they 'own' the network!). I am still in question as to what is available to
>protect sensitive information that travels out of the 'secure network of PCS
>or palmnet' to individual corporate WAP gateways. It would seem to me that
>this would be an opportune place (between PCS / palmnet and the WAP gateway)
>for an attacker to sit and intercept all information that is being
>transmitted.
>
>Wireless browsers in the US (to the best of my knowledge) cannot support
>digital certificates because of the size of an x.509v3 cert. I would view
>this as the easiest course of action to solve my dilemma (I am using the
>logic that browsers have SSL, and the equivalent needs to be available in
>the mobile world). I know that Ericson recalled tens of thousands of phones
>in Europe to actually put certs on them; but, I never fully heard what the
>reason / result was. I also know that Baltimore is suppose to be a market
>leader with their WTLS developments, but once again, I have been unable to
>generate any answers has to how this will solve my issue. An RSA logo comes
>up on some PCS phones when they are powered up, but no information is
>provided for what RSA is doing for PCS (I am referring to the technical
>side, not the market blitz).
>
>With no further introduction, here is my question... What, if anything is
>available for end to end security (integrity of the data being transferred)
>from a PDA / digital phone to a WAP gateway?
>
>
>Zann
>
>VPN is sponsored by SecurityFocus.COM

Robert Moskowitz
ICSA.net
	(248) 968-9809
Fax:	(248) 968-2824
rgm at icsa.net

There's no limit to what can be accomplished
if it doesn't matter who gets the credit

VPN is sponsored by SecurityFocus.COM



From fredy at ORION.CL  Thu Jul 20 13:16:35 2000
From: fredy at ORION.CL (Fredy Santana)
Date: Thu, 20 Jul 2000 13:16:35 -0400
Subject: SAP over VPN
In-Reply-To: <19A187F26DD4D311949F009027E28ACE7E10DE@us-mtvmail3.ariba.com>
References: <19A187F26DD4D311949F009027E28ACE7E10DE@us-mtvmail3.ariba.com>
Message-ID: <fc.0084c0910002ba503b9aca0067b361be.2ba52@orion.cl>

Hi Everybody:

This is my first participation in this list and I'd to ask:

Hi Everybody:

Had anyone implemented a SAP application over a VPN?. Do this work?.
What must I consider to implement this?

Saludos
Fredy R. Santana V.
Ingeniero Civil El?ctrico
Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
La Concepcion 322 piso 12, Providencia.
Fono: 6403944 - fredy at orion.cl

VPN is sponsored by SecurityFocus.COM



From gbincik at DMTISPATIAL.COM  Thu Jul 20 13:13:04 2000
From: gbincik at DMTISPATIAL.COM (Gabriel Bincik)
Date: Thu, 20 Jul 2000 13:13:04 -0400
Subject: Any news on Contivity client for Win2k?
Message-ID: <9DABA45C19A5D31181AD00508B4AB1323B9A@DMTI_MESSENGER>

I've been told by the software people at Nortel that the release date is
September 3rd.

-----Original Message-----
From: Paul Dugas [mailto:PaulD at DUGAS.COM]
Sent: July 20, 2000 9:52 AM
To: VPN at SECURITYFOCUS.COM
Subject: Any news on Contivity client for Win2k?


Hi all,

Just wondering if anyone out there has heard anything about the beta testing
of Nortel's new Extranet Access Client for Win2000 machines.  A guy at
SuperCom in Atlanta said it'd be in beta for "a couple weeks" then released
assuming nothing major shows  up.  Sounded like BS to me.  Anyway, 6 weeks
later, has anybody heard anything about an official release date?

TIA,

-- Paul
______________________________________________________________________
Paul A. Dugas, Computer Engineer        email: pauld at dugas.com
Dugas Enterprises, LLC                  phone: (404) 932-1355
1711 Indian Ridge Drive                 fax  : (770) 516-4841
Woodstock, GA 30189 USA                 web  : http://pauld.dugas.com/

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From bet at RAHUL.NET  Thu Jul 20 13:41:49 2000
From: bet at RAHUL.NET (Bennett Todd)
Date: Thu, 20 Jul 2000 13:41:49 -0400
Subject: VPNs and WAP.
In-Reply-To: <C36304FE952AD411AC870020941203383C9DF4@MTMAIL>; from
              jason.zann@MARYVILLE.COM on Thu, Jul 20, 2000 at 09:18:28AM -0500
References: <C36304FE952AD411AC870020941203383C9DF4@MTMAIL>
Message-ID: <20000720134149.M494@oven.com>

2000-07-20-10:18:28 Jason Zann:
> I feel confident in the fact that from the personal device to the
> 'mobile network' (SprintPCS, palmnet, etc.) the information is
> secure from the personal device to the network [...]

I very specifically doubt that security.

The protocols being used by WAP are, as far as I know, part of
the basic GSM design, and that basic design was very deliberately
sabotaged by representatives of spy agencies, to ensure that it
would not be secure.

As always, the morons who committed this screwup thought they could
keep it quiet, and that nobody else would notice, and so they'd have
exclusive rights to listen in on everything. As always, they were
wrong.

> I am still in question as to what is available to protect
> sensitive information that travels out of the 'secure network of
> PCS or palmnet' to individual corporate WAP gateways. It would
> seem to me that this would be an opportune place (between PCS /
> palmnet and the WAP gateway) for an attacker to sit and intercept
> all information that is being transmitted.

That would be one opportune place, certainly, the other being most
anywhere, with a good radio receiver.

Happily the fix to this problem would only require support from the
wireless providers, on their servers, not from all the countless
(and so irreparably insecured) individual mobile cellphones and
whatnots. If the gateway server were willing to talk SSL to the WAP
server, that'd cover the problem you're worrying about. I've no idea
whether any of the existing ones would be so willing.

> Wireless browsers in the US (to the best of my knowledge) cannot
> support digital certificates because of the size of an x.509v3
> cert.

It has nothing to do with the size; memory is cheap as sand. What it
has to do with is that there's no secure protocol implemented within
the cellphones and useable over the air --- there's no SSL there,
just some deliberatly crippled pretend crypto.

> With no further introduction, here is my question... What, if
> anything is available for end to end security (integrity of the
> data being transferred) from a PDA / digital phone to a WAP
> gateway?

As far as I know, nothing. What's more, until and unless the various
spy agencies fall out of favour and influence, there never will be;
they are so utterly committed to shutting down practical crypto,
that they are completely unstoppable any place there's an easy
choke point for them to strangle processes --- like e.g. defining
standards for mobile phone technology. They've failed with open
source and the internet, but that's just because neither of them had
conveniently located necks that hands would fit around.  I expect
the only option for the forseeable future would be to settle on some
box capable of general-purpose programmability, like e.g. a Palm
VII, and write custom code that uses the provided protocol to carry
encrypted traffic for your application. Shouldn't be too awful a
job, SSLeay has been ported to PalmOS, and people have implemented
ssh atop it.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000720/654b8513/attachment.pgp 

From esteban at REED.EDU  Thu Jul 20 13:41:18 2000
From: esteban at REED.EDU (esteban)
Date: Thu, 20 Jul 2000 10:41:18 -0700
Subject: Any news on Contivity client for Win2k?
In-Reply-To: <HJEDJNIKLPDADEKFIDNCEECLCLAA.PaulD@Dugas.COM>
Message-ID: <Pine.OSF.4.10.10007201039240.6084-100000@amon.reed.edu>

On Thu, 20 Jul 2000, Paul Dugas wrote:

> Hi all,
>
> Just wondering if anyone out there has heard anything about the beta testing
> of Nortel's new Extranet Access Client for Win2000 machines.  A guy at
> SuperCom in Atlanta said it'd be in beta for "a couple weeks" then released
> assuming nothing major shows  up.  Sounded like BS to me.  Anyway, 6 weeks
> later, has anybody heard anything about an official release date?
>
> TIA,
>
> -- Paul
> ______________________________________________________________________
> Paul A. Dugas, Computer Engineer        email: pauld at dugas.com
> Dugas Enterprises, LLC                  phone: (404) 932-1355
> 1711 Indian Ridge Drive                 fax  : (770) 516-4841
> Woodstock, GA 30189 USA                 web  : http://pauld.dugas.com/
>
> VPN is sponsored by SecurityFocus.COM
>


I was told by their tech support yesterday that it is still in testing.
They had some serious issues with the Beta. ETA for a release is
mid-august.  For now, I have win2k people using PPTP.


 esteban
 esteban at reed.edu

VPN is sponsored by SecurityFocus.COM



From jonc at HAHT.COM  Thu Jul 20 16:11:22 2000
From: jonc at HAHT.COM (Jon Carnes)
Date: Thu, 20 Jul 2000 16:11:22 -0400
Subject: SAP over VPN
References: <19A187F26DD4D311949F009027E28ACE7E10DE@us-mtvmail3.ariba.com> 
            <fc.0084c0910002ba503b9aca0067b361be.2ba52@orion.cl>
Message-ID: <009601bff286$bee8a3c0$6803010a@dhcp.haht.com>

Yes it works.  We use SAP GUI over VPN.  We also use VPN to run demos of
web-based applications that login and  use SAP.

Just be conscious of the ports you are using (generally 3200 and 3300).

Jon Carnes
HAHT Software
----- Original Message -----
From: "Fredy Santana" <fredy at ORION.CL>
To: <VPN at SECURITYFOCUS.COM>
Sent: Thursday, July 20, 2000 1:16 PM
Subject: SAP over VPN


> Hi Everybody:
>
> This is my first participation in this list and I'd to ask:
>
> Hi Everybody:
>
> Had anyone implemented a SAP application over a VPN?. Do this work?.
> What must I consider to implement this?
>
> Saludos
> Fredy R. Santana V.
> Ingeniero Civil El?ctrico
> Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
> La Concepcion 322 piso 12, Providencia.
> Fono: 6403944 - fredy at orion.cl
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From jsdy at COSPO.OSIS.GOV  Thu Jul 20 18:03:23 2000
From: jsdy at COSPO.OSIS.GOV (Joseph S D Yao)
Date: Thu, 20 Jul 2000 18:03:23 -0400
Subject: Compatible?  [Was: Re: What are the differences ...]
In-Reply-To: <20000719134434.19438.qmail@web2304.mail.yahoo.com>; from
              carlsonmail@YAHOO.COM on Wed, Jul 19, 2000 at 06:44:34AM -0700
References: <20000719134434.19438.qmail@web2304.mail.yahoo.com>
Message-ID: <20000720180323.R21317@washington.cospo.osis.gov>

On Wed, Jul 19, 2000 at 06:44:34AM -0700, Chris Carlson wrote:
...
> acquired, the transition into the larger company
> causes circa a 6 month disruption.  Cisco acquired
> Altiga and Compatible recently and is trying to hard
> integrate them and consolidate to one VPN client.  I'm
> concerned about that.
...

Is this why we haven't heard from our friends at Compatible on this
mailing list lately?  ;-?

--
Joe Yao				jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support					EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

VPN is sponsored by SecurityFocus.COM



From dtheise1 at FORD.COM  Thu Jul 20 17:49:17 2000
From: dtheise1 at FORD.COM (Theisen, David (D.A.))
Date: Thu, 20 Jul 2000 17:49:17 -0400
Subject: SAP over VPN
Message-ID: <B0013929444@mzdy03.allegro.net>

Yes, but you have to open up a heck of a lot of ports: TCP 3200-3399 and
3600-3604

-----Original Message-----
From: Fredy Santana [mailto:fredy at ORION.CL]
Sent: Thursday, July 20, 2000 1:17 PM
To: VPN at securityfocus.com
Subject: SAP over VPN


Hi Everybody:

This is my first participation in this list and I'd to ask:

Hi Everybody:

Had anyone implemented a SAP application over a VPN?. Do this work?.
What must I consider to implement this?

Saludos
Fredy R. Santana V.
Ingeniero Civil El?ctrico
Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
La Concepcion 322 piso 12, Providencia.
Fono: 6403944 - fredy at orion.cl

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From JeremyNikolai at TCH-AZ.COM  Thu Jul 20 17:10:57 2000
From: JeremyNikolai at TCH-AZ.COM (Jeremy Nikolai)
Date: Thu, 20 Jul 2000 14:10:57 -0700
Subject: Win98 Client to NT4 Server not working....
Message-ID: <B0DBDC3073B2D311AD7800A024590CEB079C07@mail.tch-az.com>

Hello,
We're trying to connect a Win98/Win95/WinNT ws client to our NT 4 Server
(also the PDC)  with no luck....    "No domain server was available to
validate your password.  You may not be able to gain access to some network
resources"....  The client is getting an ip from the server, and the server
can see the client, but other than that, nothing works....  We're using the
microsoft client & server, no third party software.  The client is
connecting through a standard dial-up to a commercial isp;  server is on a
T1 through a Cisco 2514....   Any ideas for what we may be doing wrong?  Any
other info needed, just ask....  Thanks!

VPN is sponsored by SecurityFocus.COM



From fredy at ORION.CL  Fri Jul 21 09:19:04 2000
From: fredy at ORION.CL (Fredy Santana)
Date: Fri, 21 Jul 2000 09:19:04 -0400
Subject: SAP over VPN
In-Reply-To: <B0013929444@mzdy03.allegro.net>
References: <B0013929444@mzdy03.allegro.net>
Message-ID: <fc.0084c0910002c1bd3b9aca00b46d013f.2c1c6@orion.cl>

Mmmmm,

What about the speed? (I'm thinking in a 128 Kbps in each extreme of a VPN
tunnel)


dtheise1 at FORD.COM writes:
>Yes, but you have to open up a heck of a lot of ports: TCP 3200-3399 and
>3600-3604
>
>-----Original Message-----
>From: Fredy Santana [mailto:fredy at ORION.CL]
>Sent: Thursday, July 20, 2000 1:17 PM
>To: VPN at securityfocus.com
>Subject: SAP over VPN
>
>
>Hi Everybody:
>
>This is my first participation in this list and I'd to ask:
>
>Hi Everybody:
>
>Had anyone implemented a SAP application over a VPN?. Do this work?.
>What must I consider to implement this?
>
>Saludos
>Fredy R. Santana V.
>Ingeniero Civil El?ctrico
>Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
>La Concepcion 322 piso 12, Providencia.
>Fono: 6403944 - fredy at orion.cl
>
>VPN is sponsored by SecurityFocus.COM
>
>VPN is sponsored by SecurityFocus.COM
>



Saludos
Fredy R. Santana V.
Ingeniero Civil El?ctrico
Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
La Concepcion 322 piso 12, Providencia.
Fono: 6403944 - fredy at orion.cl

VPN is sponsored by SecurityFocus.COM



From geir.aasen at ASKPROXIMA.NO  Fri Jul 21 13:16:36 2000
From: geir.aasen at ASKPROXIMA.NO (Geir Aasen)
Date: Fri, 21 Jul 2000 19:16:36 +0200
Subject: VPN and QOS and Central policymanagement
Message-ID: <003501bff337$6d704b90$0501a8c0@irtix>

What other products are available for VPN/QOS in one box + central policy management other than Xedia?

Buying these features from different vendors doesn't seem correct and is very expensive(Packetshaper, Intel VPN ++)
and makes it very difficult to connect our small 1-5 user offices with LAN to LAN VPN..



Geir Aasen
MCSE, Network Analyst
Proxima ASA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000721/e17df444/attachment.htm 

From jason.zann at MARYVILLE.COM  Fri Jul 21 18:06:28 2000
From: jason.zann at MARYVILLE.COM (Jason Zann)
Date: Fri, 21 Jul 2000 17:06:28 -0500
Subject: SAP over VPN
Message-ID: <C36304FE952AD411AC870020941203383C9DF7@MTMAIL>

I have heard that the newest release of SAP has a browser based client. It
would seem that SSL would be able a viable solution for this. If you are
looking to take care of the authentication, I know SAP is compatible with
SecureID (however, I do not know if they are compatible with SecureID
because they are RADIUS compliant or if it is because they have a plugin for
the ACE server). The authorization, auditing, blah, blah, blah... should be
handled in the traditional way through SAP administration. 

> -----Original Message-----
> From:	Fredy Santana [SMTP:fredy at ORION.CL]
> Sent:	Friday, July 21, 2000 8:19 AM
> To:	VPN at SECURITYFOCUS.COM
> Subject:	Re: SAP over VPN
> 
> Mmmmm,
> 
> What about the speed? (I'm thinking in a 128 Kbps in each extreme of a VPN
> tunnel)
> 
> 
> dtheise1 at FORD.COM writes:
> >Yes, but you have to open up a heck of a lot of ports: TCP 3200-3399 and
> >3600-3604
> >
> >-----Original Message-----
> >From: Fredy Santana [mailto:fredy at ORION.CL]
> >Sent: Thursday, July 20, 2000 1:17 PM
> >To: VPN at securityfocus.com
> >Subject: SAP over VPN
> >
> >
> >Hi Everybody:
> >
> >This is my first participation in this list and I'd to ask:
> >
> >Hi Everybody:
> >
> >Had anyone implemented a SAP application over a VPN?. Do this work?.
> >What must I consider to implement this?
> >
> >Saludos
> >Fredy R. Santana V.
> >Ingeniero Civil El?ctrico
> >Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
> >La Concepcion 322 piso 12, Providencia.
> >Fono: 6403944 - fredy at orion.cl
> >
> >VPN is sponsored by SecurityFocus.COM
> >
> >VPN is sponsored by SecurityFocus.COM
> >
> 
> 
> 
> Saludos
> Fredy R. Santana V.
> Ingeniero Civil El?ctrico
> Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
> La Concepcion 322 piso 12, Providencia.
> Fono: 6403944 - fredy at orion.cl
> 
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From rdonkin at ORCHESTREAM.COM  Fri Jul 21 18:12:05 2000
From: rdonkin at ORCHESTREAM.COM (Donkin, Richard)
Date: Fri, 21 Jul 2000 23:12:05 +0100
Subject: VPN and QOS and Central policymanagement
Message-ID: <CB1E59E84CE5D3118E5C00508B6D755550867F@s1000.orchestream.com>

My company's Orchestream Provider Edition product provides central policy
management of QoS and (MPLS) VPNs from a single system - we use standard
routers such as Cisco, Bay and Xedia.  We don't do IPSec VPNs, though, so
this is most relevant if you are interested in service provider
applications.

Richard
--
rdonkin at orchestream.com                   http://www.orchestream.com
Tel: +44 (0)20 7598 7554 (direct)         Orchestream Ltd.
     +44 (0)20 7460 4460 (switchboard)    125 Old Brompton Road
Fax: +44 (0)20 7460 4461                  London SW7 3RP, UK
>>>>>>>>>>>>>>>>>>>>>>>>>>> iP with iQ >>>>>>>>>>>>>>>>>>>>>>>>>>>>>

-----Original Message-----
From: Geir Aasen [mailto:geir.aasen at ASKPROXIMA.NO]
Sent: Fri 21 July 2000 18:17
To: VPN at SECURITYFOCUS.COM
Subject: VPN and QOS and Central policymanagement


What other products are available for VPN/QOS in one box + central policy
management other than Xedia?

Buying these features from different vendors doesn't seem correct and is
very expensive(Packetshaper, Intel VPN ++)
and makes it very difficult to connect our small 1-5 user offices with LAN
to LAN VPN..



Geir Aasen
MCSE, Network Analyst
Proxima ASA

VPN is sponsored by SecurityFocus.COM



From rdonkin at ORCHESTREAM.COM  Fri Jul 21 18:26:29 2000
From: rdonkin at ORCHESTREAM.COM (Donkin, Richard)
Date: Fri, 21 Jul 2000 23:26:29 +0100
Subject: prioritization and IP VPN
Message-ID: <CB1E59E84CE5D3118E5C00508B6D7555508680@s1000.orchestream.com>

Xedia have a single box QoS and IPSec VPN solution, which should take care
of all this.  Our products manage QoS on Xedias amongst other devices
(including Cisco and Bay) and don't seem to have any problem setting up CBQ
instances (which provide QoS) on top of IPSec tunnel instances in the Xedia
stack.

I'm not clear whether the tunnels go across the Internet or a single managed
IP network - if the latter, then DiffServ is quite applicable, i.e. you mark
packets before they enter the tunnels and the core network routers respect
this CoS allocation aka prioritisation.  The important point is that the
tunnel encapsulation process must copy the IP Type of Service byte from the
inner header to the outer encapsulating header.  The nice thing about
DiffServ is that the marking can cross barriers to classification such as
tunnel encapsulation and even NAT - however, you need to check your device
vendor does copy the TOS byte where appropriate.

Alternatively, if you are using the Internet as the core of the IPSec VPN,
you can using simple bandwidth management (queuing or TCP rate shaping at
the edge only, best effort in the core).  Packeteer-style TCP rate shaping,
aka window pacing, is probably more effective when you can only manage
bandwidth at a single point since it has 'action at a distance' effects on
the end host's sending TCP instance.  So if you are going for commodity
IPSec devices, you might be able to deploy Packeteers only at the central
hub site, if you have a hub-spoke VPN configuration.  TCP rate shaping
doesn't really handle VoIP, though, which is why Packeteer has something
remarkably like priority queuing (as far as I can tell from their docs).
Packeteers have some nice measurement features too.

Finally, my company does service activation software for QoS-enabled MPLS
VPNs, aimed at providers - these have similar tunnel-encapsulation issues,
but the boxes I'm familiar with copy the IP Precedence into the MPLS CoS
(EXPerimental) field, so they let IP CoS work with MPLS CoS transparently.

For more information on QoS, see www.qosforum.com - also, there are some
links at http://www.orchestream.com/support/links.html.

Richard
--
rdonkin at orchestream.com                   http://www.orchestream.com
Tel: +44 (0)20 7348 1507 (direct)         Orchestream Ltd.
     +44 (0)20 7348 1500 (switchboard)    Avon House, Kensington Village,
Fax: +44 (0)20 7348 1501                  Avonmore Road
>>>> IP Service Activation >>>>           London W14 8TS, UK


> -----Original Message-----
> From: MaN-H [mailto:man-h at NETCOURRIER.COM]
> Sent: Mon 17 July 2000 23:00
> To: VPN at SECURITYFOCUS.COM
> Subject: prioritization and IP VPN
>
>
> We want to implement a site to site connectivity using the
> CISCO IP VPN solution
> (IPSec tunnels, ESP).
> The problem is that we want to prioritize some applications
> (Citrix, VoIP).
> We have successfully tested the PacketShaper product provided
> buy Packeeter set
> before each CPE.
> Has somebody  tested another solution, can he share his experience ?
>
> MaN-H
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM



From mcaines at TRUEWORLDGROUP.COM  Fri Jul 21 18:50:37 2000
From: mcaines at TRUEWORLDGROUP.COM (Milton Caines)
Date: Fri, 21 Jul 2000 18:50:37 -0400
Subject: Two OpenBSD Servers on different networks trying to establish
              ipsec connection
Message-ID: <002901bff366$17060ef0$1503a8c0@trueworldfoods.com>




I am trying to have two Openbsd machines behind routers communicate with each other using ipsec.  These machines are on different networks in different states.  My network layout is below.

 

 

     
      
 

 

 

 

 

 



I am using rc.vpn to attempt to establish ipsec communication between the two machines but it does not work.  I determine it does not work by setting up ipf.rules that allow only proto esp to and from the ip set for my servers.  

 

On each router I have assigned to the OpenBSD servers public ip address that I received from my ip provider.  I am using Nat translation on my router.

 

It seems to me rather than a tunnel mode, I should be using some kind of transport mode.  I notice most configurations I try to follow assume that my OpenBSD servers are acting as NAT/DHCP Servers on the network, but mine are not. 

 

Does any one have any suggestions how I can set up my rc.vpn or ipsecadm configuration under the conditions I am facing?

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000721/fceb9b7b/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1350 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20000721/fceb9b7b/attachment.gif 

From mcaines at TRUEWORLDGROUP.COM  Sat Jul 22 11:11:28 2000
From: mcaines at TRUEWORLDGROUP.COM (Milton Caines)
Date: Sat, 22 Jul 2000 11:11:28 -0400
Subject: How do I verify that Ipsec is actually functioning
Message-ID: <006801bff3ef$1db15f00$1503a8c0@trueworldfoods.com>

After I have established a connection between two OpenBSD on different networks using ipsec, how do I verify that ipsec is actually active between these two machines
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000722/8b5a68ee/attachment.htm 

From carlsonmail at YAHOO.COM  Sat Jul 22 10:08:34 2000
From: carlsonmail at YAHOO.COM (Chris Carlson)
Date: Sat, 22 Jul 2000 07:08:34 -0700
Subject: VPN and QOS and Central policymanagement
Message-ID: <20000722140834.4463.qmail@web2301.mail.yahoo.com>

Hmmm... you'd best look at the firewall appliance
market.

CheckPoint FireWall-1/VPN-1 with its packet shaping
module FloodGate-1 on a Nokia 330 (available with
integrated T-1 card) can run you about $8,000 list for
less than 25 users.

NetScreen makes a small box, Netscreen-5 that is for
10 or 25 users licenses and has traffic shaping, and
it's around $500 list.

I also think that Cisco has some type of traffic
shaping feature in its IOS, perhaps something that you
can add onto the FW/VPN IOS code for a 1700 or
2500/2600 series router.

What are you using for the HQ location?

(Based on cost, if the functionality was good, I'd
prefer the NetScreen.)

Good luck,
Chris
--

--- Geir Aasen <geir.aasen at ASKPROXIMA.NO> wrote:
> What other products are available for VPN/QOS in one
> box + central policy management other than Xedia?
>
> Buying these features from different vendors doesn't
> seem correct and is very expensive(Packetshaper,
> Intel VPN ++)
> and makes it very difficult to connect our small 1-5
> user offices with LAN to LAN VPN..
>
>
>
> Geir Aasen
> MCSE, Network Analyst
> Proxima ASA
>


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail ? Free email you can access from anywhere!
http://mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM



From lisa at CORECOM.COM  Sat Jul 22 09:08:04 2000
From: lisa at CORECOM.COM (Lisa Phifer)
Date: Sat, 22 Jul 2000 09:08:04 -0400
Subject: VPN and QOS and Central policymanagement
In-Reply-To: <003501bff337$6d704b90$0501a8c0@irtix>
Message-ID: <4.2.0.58.20000722085623.009ce100@mail2.netreach.net>

At 07:16 PM 7/21/2000 +0200, you wrote:
>What other products are available for VPN/QOS in one box + central policy
>management other than Xedia?

If by QoS you mean traffic shaping/bandwidth management, see also:

Alcatel Fort Knox Policy Router
http://rogets.ind.alcatel.com/enterprise/products/id/proseries.html

NetScreen with Global Manager
http://www.netscreen.com/pub/products/ns100.html
http://www.netscreen.com/pub/products/nsglobal.html

Radguard cIPro v4.4
http://www.radguard.com/cipro44.html

to name a few.

Lisa

VPN is sponsored by SecurityFocus.COM



From ho at CRT.SE  Sat Jul 22 11:44:36 2000
From: ho at CRT.SE (Hakan Olsson)
Date: Sat, 22 Jul 2000 17:44:36 +0200
Subject: How do I verify that Ipsec is actually functioning
In-Reply-To: <006801bff3ef$1db15f00$1503a8c0@trueworldfoods.com>
Message-ID: <Pine.GSO.4.21.0007221734500.23767-100000@spitfire.crt.se>

Easiest/best is probably to use tcpdump to look at the traffic between
them:

# tcpdump -nvs1400 host A.B.C.D and host E.F.G.H
(-nvs1400 not really required)

You should only see IP proto 50 'esp' (or 51 'ah') packets, and possibly
UDP port 500 packets, the latter if you're running IKE (isakmpd).  (ARP
packets are ok if the gateways are on the same network :)

If you see other traffic, check your ipsec routing flows.
('netstat -rn -f encap')

//H?kan

On Sat, 22 Jul 2000, Milton Caines wrote:

> After I have established a connection between two OpenBSD on different
> networks using ipsec, how do I verify that ipsec is actually active
> between these two machines
>

--
H?kan Olsson <ho at crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

VPN is sponsored by SecurityFocus.COM



From fredy at ORION.CL  Mon Jul 24 11:35:03 2000
From: fredy at ORION.CL (Fredy Santana)
Date: Mon, 24 Jul 2000 11:35:03 -0400
Subject: VPN between Firewall-1 and Sonicwall
In-Reply-To: <B0DBDC3073B2D311AD7800A024590CEB079C07@mail.tch-az.com>
References: <B0DBDC3073B2D311AD7800A024590CEB079C07@mail.tch-az.com>
Message-ID: <fc.0084c0910002d06a3b9aca00b3360169.2d086@orion.cl>

Hi:

Had anyone made a VPN between a Firewall-1 v 4.1 and Sonicwall? I'm triyng
but it doesn?t work.
>

Regards
Fredy R. Santana V.
Ingeniero Civil El?ctrico
Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
La Concepcion 322 piso 12, Providencia.
Fono: 6403944 - fredy at orion.cl

VPN is sponsored by SecurityFocus.COM



From Azim.Ferchichi at SWISSCOM.COM  Mon Jul 24 11:17:51 2000
From: Azim.Ferchichi at SWISSCOM.COM (Azim.Ferchichi at SWISSCOM.COM)
Date: Mon, 24 Jul 2000 17:17:51 +0200
Subject: IPsec gw with FDDI interface
Message-ID: <D034D751D351D411BFAC0000F807E8148F3B64@gd3i5w.swissptt.ch>

Hi all,

I'm looking for IPsec gateway with FDDI and/or ATM interfaces. Does anyone
know products with such interfaces?

Thanks for your help!
Azim
_____________________
Azim Ferchichi
CIT-CT-TPM
IT Security and Smart-cards
Swisscom AG
CH-3050 Bern
------------------------------------------

VPN is sponsored by SecurityFocus.COM



From saxo at ENGLAND.COM  Mon Jul 24 03:34:43 2000
From: saxo at ENGLAND.COM (Saxo Saxo)
Date: Mon, 24 Jul 2000 00:34:43 -0700
Subject: All in one VPN
Message-ID: <HGCBGLEPEAHOGAAA@shared2-mail.whowhere.com>

Hello,

Has anybody tried setting up a branch office VPN using a single Cisco router with the following requirements:
1- DHCP
2- NAT
3- Custom queueing
4- Firewall Feature Set
5- VPN

In short we would like one box to have all that functionality and was wondering what people's thoughts on that are.

Thanks a lot for our help.


__________________________________________________________________
Get your own free England E-mail address at http://www.england.com

VPN is sponsored by SecurityFocus.COM



From asc at CONGA.SUPER.UNAM.MX  Mon Jul 24 04:21:44 2000
From: asc at CONGA.SUPER.UNAM.MX (Area de Seguridad en Computo)
Date: Mon, 24 Jul 2000 03:21:44 -0500
Subject: Computer Security 2000 Mexico
Message-ID: <Pine.LNX.4.21.0007240204160.19658-100000@conga.super.unam.mx>

-----BEGIN PGP SIGNED MESSAGE-----


.---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---'

            C o m p u t e r    S e c u r i t y   2000   M e x i c o

		       November 26th - December 1st, 2000

                   Palacio de Miner'ia, M'exico City, M'exico.

.---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---'

          	       C A L L   F O R   P A P E R S

The goal of "Computer Security 2000" and "International Computer Security
Day" is to create awareness in the computer user community about security
strategies and mechanisms used to protect information.

"Computer Security 2000" (http://www.seguridad2000.unam.mx)will be a
meeting for all the people who is involved in the use of Computer
equipment. DISC 2000 (http://www.disc2000.unam.mx)is an annual world-wide
celebration convoked by ACM(Association For Computing Machinery).

Since 1994, Mexico has participated in this celebration through the
Computer Security Area (ASC, http://www.asc.unam.mx). This year DISC2000
will take place alongside the event "Computer Security 2000" on November
30th.

The community is invited to participate in the "Computer Security
2000" event through the presentation of theoretical, technical, and
applied works and those who presents practical experience in the following
topics (but not limited to them):

     >> Electronic commerce
          Certification
          Digital cash
          New protocols
          Secure transactions
          New Technologies
     >> New firewall technologies
          Hybrids FW
          New generations of FW
     >> World Wide Web security
          Secure Sockets Layer (SSL)
          Secure Schemes
     >> Legislation about Computer Security
          Advances in legislation 1999-2000
          Regulation of domain names
          Copyright and Industrial property
     >> Network security
          New network technology applied to Security (ATM, Fast Ethernet)
          Routers security
     >> Clusters security
     >> Security for software developers
     >> Security in distributed systems and data bases
     >> Security in agents and multi-platform languages
     >> Incident response teams
     >> Computer security incident handling, prevention and coordination
     >> Administrative and legal issues in the incident handling
     >> Software protection and intellectual property
     >> New tools for incident handling
     >> Attacks and intrusion detection
     >> Computer attacks
     >> Privacy and cryptography protocols
     >> Security policies
     >> Computer viruses
     >> DDOS attacks

				Important Dates
				................

Paper submissions: September 22th
Acceptance notification: October 7th
Final papers due: October 28th
Event Dates: November 26th to December 1st

	                        Workshop Format
				................

There will be tutorial-style presentations and workshop-style
presentations during November 26,27 and 28. And November 29 and December 1
will consist of Technical conferences, as well as business sessions.

The Birds of Feather Sessions(BOF'S) will be held on November 26,27 and
28. Contributions should follow the following guidelines:

1.-Tutorials and workshops:
     Half or full day tutorial proposals will be considered.

2. Conference papers: Written papers may be as long as desired, but
presentations must be limited to 30 minutes.

3. Panel Sessions: These informal sessions should either follow a more
"hands-on" approach or provide for a high degree of audience
participation.

They should be tailored to address specific issues and should be from 60
to 90 minutes in duration. Panel Sessions on a particular topic are also
aceptable.

                          Program Committee
			.....................

The committe will be composed by:

	     >> Dr. Eugene Spafford
        	Director of CERIAS, Purdue University, EU

	     >> Wietse Venema
        	IBM T.J. Watson Research Center

	     >> Dr. Eugene Schultz
        	Global Integrity, EU

	     >> Linda McCarthy
        	Net-Defense, EU

	     >> M. en C. Diego Zamboni
        	CERIAS, Purdue University

	     >> Juan Carlos Guel Lopez
        	Computer Security Area DGSCA-UNAM, Mexico


			     Further Information
			    .....................


     E-mail:comite at seguridad.unam.mx
     http://www.seguridad2000.unam.mx
     http://www.disc2000.unam.mx
     http://www.asc.unam.mx

     				  Address
				 .........
		
     Area de Seguridad en Computo
     Direccion General de Computo Academico
     Circuito Exterior, Ciudad Universitaria 04510
     Mexico, D.F. Mexico
     Phone : (52) 56 22 81 69 and (52) 56 85 22 29
     Fax : (52) 56 22 80 43


- ---
Juan Carlos Guel Lopez
Area de Seguridad en C'omputo   E-mail: asc at asc.unam.mx
DGSCA, UNAM                     Tel.: 5622-81-69  Fax: 5622-80-43
Circuito Exterior, C. U.        WWW: http://www.asc.unam.mx/
04510 Mexico D. F.              PGP: finger asc at asc.unam.mx

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQEVAwUBOXv8sj6HeEeO/+C1AQHNeAf/Yc56rQ9uX85UpGf2sB+xxeyz2nY8ERhk
GssgXxO473z/ixeS32XVnFQg+1OaI9oVtFJ/pJji5E0KMefHiyT+hlZmfyGyp1VF
TZqLaKyUw39T2EhWZHb3t2lyzALpK2de2cGvFKoGr2F0DzgF1PYWWwrMHrbDl6HQ
ceNuASFw63LsUVEK8nKg/Y5k9CPb/pqEbvh1upmcpCg3MAn8Ea+9OUI2J+GhB52z
nLh9QeXqMgq2seAMspgynI/DT3+etG9zo7Rh89wemtP/9hfwSuUIZ1y/e9dXmqzq
/HQsChz+LdJd7wqrP24VzS8BiC/YnAKl14ibCe9km/3me6JR8UOM8g==
=Uo4u
-----END PGP SIGNATURE-----

VPN is sponsored by SecurityFocus.COM



From Robert.Cockerell at SCHRODERS.COM  Mon Jul 24 07:33:40 2000
From: Robert.Cockerell at SCHRODERS.COM (Cockerell, Robert)
Date: Mon, 24 Jul 2000 12:33:40 +0100
Subject: Checkpoint VPN with Token Authentication
Message-ID: <3BCD5EE4275CD21195D70000F689FAC20139297C@msxuk20.harrow.schroders.com>

Hi,

I'm interested in using RSAs software token authentication solution with my
CheckPoint VPN-1 set-up. Has anyone got any experiences of using an RSA
token authentication product? Are there any other solutions to RSA?

Any comments would be really appreciated
Rob Cockerell

__________________________________________________________________

                Confidentiality Notice

This message may contain privileged and confidential information. If you think, for any reason, that this message may have been addressed to you in error, you must not disseminate, copy or take any action in reliance on it, and we would ask you to notify us immediately by return email to "Postmaster at Schroders.com".

VPN is sponsored by SecurityFocus.COM



From dnewman at NETWORKTEST.COM  Mon Jul 24 17:12:31 2000
From: dnewman at NETWORKTEST.COM (David Newman)
Date: Mon, 24 Jul 2000 17:12:31 -0400
Subject: Pushing and pulling CRLs
Message-ID: <NDBBJJFLLNKDDFGCGHPIMECFGJAA.dnewman@networktest.com>

Because I don't have enough pain in my life I've recently started playing
with certificate authorities. :(

One issue that's arisen is how a VPN gateway learns that a CA has revoked a
cert in use by the gateways.

If a VPN gateway only checks with a CA at periodic intervals, and the CA
revokes a cert immediately after the gateway last checked with the CA, does
that mean the revoked user (or process or whatever) is still granted access
until the next check?

A Bad Thing if so. Are there any workarounds for this, such as CAs that push
CRLs to the gateways?

Thanks for any clues on this.

Regards,
David Newman
Network Test

VPN is sponsored by SecurityFocus.COM



From kemp at INDUSRIVER.COM  Mon Jul 24 18:12:52 2000
From: kemp at INDUSRIVER.COM (Brad Kemp)
Date: Mon, 24 Jul 2000 18:12:52 -0400
Subject: Pushing and pulling CRLs
In-Reply-To: <NDBBJJFLLNKDDFGCGHPIMECFGJAA.dnewman@networktest.com>
Message-ID: <3.0.3.32.20000724181252.01feb340@pop3.indusriver.com>

A CRL has a lifetime encoded within it. This lifetime is relativly short,
(24 hours or so). The CRL expires at the lifetime and the server
will retrieve a new CRL. Thus, a CRL can be cached at the server until
its lifetime expires.
When a certificate is revoked, its serial number is placed in the CRL.
The certificate will still be deemed valid by a server that has chached the
previous CRL until the lifetime in the previous CRL expires.
When using certificates with CRL's the certificate should only be used
for authentication, not for authorization.
Brad



At 05:12 PM 7/24/00 -0400, David Newman wrote:
>Because I don't have enough pain in my life I've recently started playing
>with certificate authorities. :(
>
>One issue that's arisen is how a VPN gateway learns that a CA has revoked a
>cert in use by the gateways.
>
>If a VPN gateway only checks with a CA at periodic intervals, and the CA
>revokes a cert immediately after the gateway last checked with the CA, does
>that mean the revoked user (or process or whatever) is still granted access
>until the next check?
>
>A Bad Thing if so. Are there any workarounds for this, such as CAs that push
>CRLs to the gateways?
>
>Thanks for any clues on this.
>
>Regards,
>David Newman
>Network Test

--- -- --
Brad Kemp
Indus River Networks, Inc.                   BradKemp at indusriver.com
31 Nagog Park						 978-266-8122
Acton, MA 01720                              fax 978-266-8111

VPN is sponsored by SecurityFocus.COM



From jrdepriest at FTB.COM  Mon Jul 24 10:13:42 2000
From: jrdepriest at FTB.COM (DePriest, Jason R.)
Date: Mon, 24 Jul 2000 09:13:42 -0500
Subject: How do I verify that IPSec is actually functioning
Message-ID: <AB4C55B3A9BAD1118E3D000629B2512201CE847F@exchange3.here4you.com>

Use tcpdump or some other sniffer and check for Authentication Header (AH)
or Encapsulating Security Payload (ESP) protocols.
That works for me.

Thank you!

Jason R DePriest, Network and Systems Administrator
First Tennessee National Corporation
InterActive Services Department
ph: 901/523-5777, fax: 901/523-5527
email: jrdepriest at ftb.com

Disclaimer:
The views expressed in this message, while not necessarily the views of
First Tennessee, are none-the-less confidential and not to be freely
distributed to external sources without explicit permission from the sender
of this message or from First Tennessee National Corporation.

"I have never let my schooling interfere with my education."
- Mark Twain

-----Original Message-----
From: Milton Caines [mailto:mcaines at TRUEWORLDGROUP.COM]
Sent: Saturday, July 22, 2000 10:11 AM
To: VPN at SECURITYFOCUS.COM
Subject: How do I verify that Ipsec is actually functioning


After I have established a connection between two OpenBSD on different
networks using ipsec, how do I verify that ipsec is actually active between
these two machines

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000724/0396c975/attachment.htm 

From carlsonmail at YAHOO.COM  Tue Jul 25 09:00:35 2000
From: carlsonmail at YAHOO.COM (Chris Carlson)
Date: Tue, 25 Jul 2000 06:00:35 -0700
Subject: How do I verify that IPSec is actually functioning
Message-ID: <20000725130035.17653.qmail@web2306.mail.yahoo.com>

This brings up a very good point about encryption: how
do you know it's really being done?

Just because tcpdump shows that IPSec protocols are
being used, i.e. AH and ESP, that doesn't mean that
it's encrypted!

Most IPSec systems can use ESP-null, meaning no
encryption.  Also, most IPSec systems can compress the
data prior to encrypting it.  If you do a packet
trace, you may see unencrypted, but compressed, data
and assume that it's secure!

You know, I could probably set up a GRE tunnel using
ROT13 as an encryption algorithm and most people
sniffing the wire would think that it's encrypted!!

Question to all:  what's reallly required to make an
IPSec testing program?

Is it possible to use some type of testing tool to
encrypt a set of known values, like "The quick brown
fox jumped over the lazy dog" using a pair of manual
IPSec keys, and then pass the same string and IPSec
manual keys in your IPSec devices and packet sniff for
the encrypted data.  Shouldn't the encrypted strings
of the testing system match the IPSec devices.

Thoughts?

Chris
--

--- "DePriest, Jason R." <jrdepriest at FTB.COM> wrote:
> Use tcpdump or some other sniffer and check for
> Authentication Header (AH)
> or Encapsulating Security Payload (ESP) protocols.
> That works for me.
>
> Thank you!
>
> Jason R DePriest, Network and Systems Administrator
> First Tennessee National Corporation
> InterActive Services Department
> ph: 901/523-5777, fax: 901/523-5527
> email: jrdepriest at ftb.com
>
> Disclaimer:
> The views expressed in this message, while not
> necessarily the views of
> First Tennessee, are none-the-less confidential and
> not to be freely
> distributed to external sources without explicit
> permission from the sender
> of this message or from First Tennessee National
> Corporation.
>
> "I have never let my schooling interfere with my
> education."
> - Mark Twain
>
> -----Original Message-----
> From: Milton Caines
> [mailto:mcaines at TRUEWORLDGROUP.COM]
> Sent: Saturday, July 22, 2000 10:11 AM
> To: VPN at SECURITYFOCUS.COM
> Subject: How do I verify that Ipsec is actually
> functioning
>
>
> After I have established a connection between two
> OpenBSD on different
> networks using ipsec, how do I verify that ipsec is
> actually active between
> these two machines
>
>


__________________________________________________
Do You Yahoo!?
Get Yahoo! Mail ? Free email you can access from anywhere!
http://mail.yahoo.com/

VPN is sponsored by SecurityFocus.COM



From tbird at PRECISION-GUESSWORK.COM  Tue Jul 25 10:21:35 2000
From: tbird at PRECISION-GUESSWORK.COM (Tina Bird)
Date: Tue, 25 Jul 2000 09:21:35 -0500
Subject: The result of IKE bake-off at Yokohama in Japan. (fwd)
Message-ID: <Pine.LNX.4.10.10007250921310.22978-100000@kuspy.phsx.ukans.edu>

VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com

---------- Forwarded message ----------
Date: Tue, 25 Jul 2000 21:43:02 +0900
From: Shoichi 'Ne' Sakane <sakane at ydc.co.jp>
To: ipsec at lists.tislabs.com
Subject: The result of IKE bake-off at Yokohama in Japan.

We held a small interoperability test for IKE at Yokohama in Japan,
4 days from 14th July.  There were 11 implementation.  4 of them
could talk IKE by IPv6.  Here is the result.

http://www.tanu.org/~sakane/doc/public/report-ike-interop0007.html

Thank you.

/Shoichi `NE' Sakane @ KAME project/

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Tue Jul 25 12:29:43 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Tue, 25 Jul 2000 12:29:43 -0400
Subject: How do I verify that IPSec is actually functioning
References: <20000725130035.17653.qmail@web2306.mail.yahoo.com>
Message-ID: <397DC077.C8965C9D@storm.ca>

Chris Carlson wrote:
>
> This brings up a very good point about encryption: how
> do you know it's really being done?
>
> Just because tcpdump shows that IPSec protocols are
> being used, i.e. AH and ESP, that doesn't mean that
> it's encrypted!
>
> Most IPSec systems can use ESP-null, meaning no
> encryption.  Also, most IPSec systems can compress the
> data prior to encrypting it.  If you do a packet
> trace, you may see unencrypted, but compressed, data
> and assume that it's secure!
>
> You know, I could probably set up a GRE tunnel using
> ROT13 as an encryption algorithm and most people
> sniffing the wire would think that it's encrypted!!
>
> Question to all:  what's reallly required to make an
> IPSec testing program?
>
> Is it possible to use some type of testing tool to
> encrypt a set of known values, like "The quick brown
> fox jumped over the lazy dog" using a pair of manual
> IPSec keys, and then pass the same string and IPSec
> manual keys in your IPSec devices and packet sniff for
> the encrypted data.  Shouldn't the encrypted strings
> of the testing system match the IPSec devices.
>
There was a long thread on this issue, with the subject
"Proof of encryption" on the Linux FreeS/WAN list recently.
You could read it in one of that list's archives:

http://www.sandelman.ottawa.on.ca/linux-ipsec/
http://www.nexial.com/mailinglists/

The same type of the tool you propose was suggested in
that thead. Here is one of my messages fron that thread,
arguing that the tool is not a good idea:

Sandy Harris wrote:
>
> "Brian J. Murrell" writes:
>
> | from the quill of Henry Spencer
> |
> |> Somebody who's concerned enough to want to be *that* sure probably
> |> wants to get the tool from an independent third party, not from the
> |> same people who built the IPsec package.  Or they *should*, anyway!
> |
> |I don't think that is necessarily true.  As long as they can audit the
> |tool (it should be fairly simple) and understand everything it is doing
> |it should be perfectly fine.  Supplying the tool is only meant to be a
> |quicker means for somebody who could write the tool.  If you can't write
> |the tool you need to hire somebody who could.
>
> This whole question depends on exactly what you want to prove.
>
> If all you want is to prove we're actually encrypting things -- to check
> your configuration, assuming our software behaves as designed and
> advertised -- then tcpdump on the encrypted tunnel is almost enough.
> If you see apparently random data, all is well.
>
> But it is not quite enough. There's a known bug that causes us to leak
> plaintext under some circumstances,

If you enable networking and packet forwarding before setting up IPSEC.

> so you also need to look at Denker's
> report on that (URL given earlier in this thread) and configure to avoid
> the glitch he describes.
>
> Of course this does not prove there are no other leaks or bugs, just that
> you've got the thing set up right and known problems handled.
>
> If you want to prove we're actually using a correct implementation of
> 3DES, the tool you describe might be relevant.
>
> There is, however, a far easier way. Test interoperation with other
> IPSEC versions, as many people have done. See compatibility.html for
> details. Given that we interporate with another implementation, then
> either we're doing it right or we're both doing it wrong in the same
> way. Given that we interoperate with at least a half-dozen others,
> methinks the proposed tool is unnecessary.
>
> Interoperation tests by definition use third party code, so they are
> a better guarantee that we follow the RFCs than any test tool we might
> write. They are also far less work than writing your own tool, and
> they test more than just the 3DES implementation.
>
> If you want to prove the whole thing is secure, you have an exceedingly
> difficult problem. Minimal requirements include thorough audits of:
>
>         the IPSEC specs. (links.ipsec.html has some pointers)
>         our code. (Please let us know results.)
>         security on your gateways
>         your IPSEC policies and procedures
>
> I'm not sure what else you need, but I suspect there's quite a lot.
>
> For an interesting look at the problem of trusting software, see
> Ken Thompson's classic paper: http://www.acm.org/classics/sep95/

VPN is sponsored by SecurityFocus.COM



From sbest at ECHOGENT.COM  Tue Jul 25 12:49:55 2000
From: sbest at ECHOGENT.COM (S.C.Best)
Date: Tue, 25 Jul 2000 09:49:55 -0700
Subject: How do I verify that IPSec is actually functioning
In-Reply-To: <20000725130035.17653.qmail@web2306.mail.yahoo.com>
Message-ID: <v03130301b5a37288af7b@[15.1.2.5]>

Chris:

>This brings up a very good point about encryption: how
>do you know it's really being done?

	Ah, weird action at a distance. :) This thread
recently surfaced on the FreeSWAN IPSec mailing list.
An IPSec implementer was "asked by his boss" to prove to
him that FreeSWAN was actually encrypting the traffic.
After a dozen or so messages discussing all sides of this,
the original author came back to inform us that he simply
showed the discussion thread to his boss, and that turned
out to be proof enough. :)
	But I digress...

>Is it possible to use some type of testing tool to
>encrypt a set of known values, like "The quick brown
>fox jumped over the lazy dog" using a pair of manual
>IPSec keys, and then pass the same string and IPSec
>manual keys in your IPSec devices and packet sniff for
>the encrypted data.  Shouldn't the encrypted strings
>of the testing system match the IPSec devices.

   	Yes. This is similar in nature to something I
naively suggested on the FreeSWAN list. Caveat emptor:
it's hardly a rigorous proof that the IPSec tunnel is
*always* encrypting the traffic. I cannot prove that it's
never sending cleartext (though I'm not often expected to
prove negatives, except during job interview situations).
      My suggestion was to force a known-hex pattern into the
IPSec tunnel entrance (ie, "ping -l feedfacedeadbeef <ip>")
and then use tcpdump to capture the ciphertext of that.
Presuming that you have root control over both ends of
the tunnel, it'd be trivial to lift both the encryption method
*and* the session key associated with that ciphertext. Take
those four pieces to an "off the shelf" encryption package,
like OpenSSL, and after noodling with the packet delineation
challenges, you *should* be able to extract the deadbeef.

	I think it would be quite valuable to have a
"sanity checker" written by someone not associated with
the coding team. I hope this suggestion helps in that regard,

cheers,
Scott

VPN is sponsored by SecurityFocus.COM



From jrdepriest at FTB.COM  Tue Jul 25 17:55:14 2000
From: jrdepriest at FTB.COM (DePriest, Jason R.)
Date: Tue, 25 Jul 2000 16:55:14 -0500
Subject: AXENT's PowerVPN 6.5 with RaptorMobile
Message-ID: <AB4C55B3A9BAD1118E3D000629B2512201CE870C@exchange3.here4you.com>

Hello,

We are currently in the implementation stage of using PowerVPN.
If anyone else is using this product and has extensive administrator
experience in using it, I have some specific questions that should be easily
answerable.

The main issues I have are with getting SRL (Secure Remote Login, telnet)
access to work, and with modifying the vulture.runtime file to have services
other than the default ones allowed.

Thank you!

Jason R DePriest, Network and Systems Administrator
First Tennessee National Corporation
InterActive Services Department
ph: 901/523-5777, fax: 901/523-5527
email: jrdepriest at ftb.com

Disclaimer:
The views expressed in this message, while not necessarily the views of
First Tennessee, are none-the-less confidential and not to be freely
distributed to external sources without explicit permission from the sender
of this message or from First Tennessee National Corporation.

"I have never let my schooling interfere with my education."
- Mark Twain

VPN is sponsored by SecurityFocus.COM



From sarmstrong at KOLA.NET  Tue Jul 25 18:38:44 2000
From: sarmstrong at KOLA.NET (Scott Armstrong)
Date: Tue, 25 Jul 2000 15:38:44 -0700
Subject: VPN between Firewall-1 and Sonicwall
References: <B0DBDC3073B2D311AD7800A024590CEB079C07@mail.tch-az.com>
            <fc.0084c0910002d06a3b9aca00b3360169.2d086@orion.cl>
Message-ID: <397E16F4.B6EB9ABC@kola.net>

Fredy,

Couldn't tell from your e-mail, but did you get a chance to look at the
Sonicwall Documentation.  It's at:

http://www.sonicwall.com/vpn/vpn_documentation.html

just select the "SonicWALL VPN to Check Point VPN Interoperability Tech Note"
link.

I talked to them one time to try and figure out at which devices the notes
applied to and I never got a definitive answer.  From talking to them, I got
the impression that it works only with a Sonicwall Pro.

Scott


Fredy Santana wrote:

> Hi:
>
> Had anyone made a VPN between a Firewall-1 v 4.1 and Sonicwall? I'm triyng
> but it doesn?t work.
> >
>
> Regards
> Fredy R. Santana V.
> Ingeniero Civil El?ctrico
> Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
> La Concepcion 322 piso 12, Providencia.
> Fono: 6403944 - fredy at orion.cl
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From AdamZ at ECONET.COM  Tue Jul 25 19:33:44 2000
From: AdamZ at ECONET.COM (Adam Zimmerer)
Date: Tue, 25 Jul 2000 18:33:44 -0500
Subject: VPN between Firewall-1 and Sonicwall
Message-ID: <612DB121BCFED31194F300C0F02BFF74041C5C@ENET_EXCHANGE>

Any SonicWALL with a VPN upgrade will VPN into a CheckPoint FW with VPN.
There is no difference in the VPN firmware between models and I have sold
the SonicWALL Telecommuter to a client who uses them for just such an
application.  There can be an issue with the SPI length and the CheckPoint's
firewall rules.


Sincerely,
Adam P. Zimmerer
Economic Networks

 -----Original Message-----
From: 	Scott Armstrong [mailto:sarmstrong at KOLA.NET] 
Sent:	Tuesday, July 25, 2000 5:39 PM
To:	VPN at SECURITYFOCUS.COM
Subject:	Re: VPN between Firewall-1 and Sonicwall

Fredy,

Couldn't tell from your e-mail, but did you get a chance to look at the
Sonicwall Documentation.  It's at:

http://www.sonicwall.com/vpn/vpn_documentation.html

just select the "SonicWALL VPN to Check Point VPN Interoperability Tech
Note"
link.

I talked to them one time to try and figure out at which devices the notes
applied to and I never got a definitive answer.  From talking to them, I got
the impression that it works only with a Sonicwall Pro.

Scott


Fredy Santana wrote:

> Hi:
>
> Had anyone made a VPN between a Firewall-1 v 4.1 and Sonicwall? I'm triyng
> but it doesn?t work.
> >
>
> Regards
> Fredy R. Santana V.
> Ingeniero Civil El?ctrico
> Orion 2000 - Servicios Profesionales en Seguridad Inform?tica
> La Concepcion 322 piso 12, Providencia.
> Fono: 6403944 - fredy at orion.cl
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From tbird at PRECISION-GUESSWORK.COM  Wed Jul 26 11:29:40 2000
From: tbird at PRECISION-GUESSWORK.COM (Tina Bird)
Date: Wed, 26 Jul 2000 10:29:40 -0500
Subject: Comments regarding IPsec NAT traversal / new proposal (fwd)
Message-ID: <Pine.LNX.4.10.10007261028060.24788-100000@kuspy.phsx.ukans.edu>

Hi all -- I'm not sure how many of you also subscribe to
the IPsec mailing list.  It's much more focussed on
standards development and such than on the implementation
topics we tend to concentrate on.

However, if you are interested in the further evolution of
IPsec, you may want to start tracking this thread, which
is a discussion of encapsulating IPsec over TCP or UDP, to
gain NAT compatibility.

cheers -- tbird

VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com

---------- Forwarded message ----------
Date: Wed, 26 Jul 2000 16:03:27 +0300
From: Ari Huttunen <Ari.Huttunen at F-Secure.com>
To: ipsec-list <ipsec at lists.tislabs.com>
Subject: Comments regarding IPsec NAT traversal / new proposal

This mail applies partly to both of these drafts:
draft-aboba-nat-ipsec-02.txt
draft-stenberg-ipsec-nat-traversal-00.txt

We believe that using UDP encapsulation is the correct way
to traverse NATs, at least in the short term. We also intend
to produce an internet draft about this, however it didn't
materialize before the Pittsburgh meeting.

The current proposals are unnecessarily complex, and I'd like
some discussion about these issues, to judge if this is indeed
the case.

ASSUMPTION: There is no *need* to enable AH traffic to traverse
through a NAT. ESP is sufficient to provide encryption and/or
authentication.

By accepting this assumption, the solution can be made less complex.
It has been argued that in some rare cases AH is necessary to
protect the IP header. If this is so, I argue that there is no need
to make this pass through a NAT as well.

Thus, we can use the following encapsulation that is less complex and
has less overhead than either of the referred drafts has, i.e. 8 octets.

Transport mode:
            ---------------------------------------------------------
      IPv4  |orig IP hdr  | UDP | ESP |              |   ESP   | ESP|
            |(any options)| Hdr | Hdr | Payload Data | Trailer |Auth|
            ---------------------------------------------------------

ASSUMPTION: We do *not* wish to use the same UDP port for both IKE and
IPsec traffic encapsulated in UDP. This is because we'd loose the possibility
to filter these traffic types separately in a firewall. For this purpose we've
reserved the port 2797 from IANA.

As draft-stenberg-ipsec-nat-traversal-00.txt mentions, there is a potential need
for a keepalive to ensure NAT tables remain up-to-date. Because our proposal
uses a different port than IKE, there is a need for a keepalive that sends
packets along the ESPoverUDP path. This can be achieved for instance by sending
empty UDP packets (i.e. without ESP contents). (Assuming the general IPsec
keepalive is along the IKE SA and can't be used.)

In particular, the method of negotiating and setting up UDP encapsulation as defined in draft-stenberg-ipsec-nat-traversal-00.txt is too complex. We propose the following
mechanism for discussion:
1) IKE phase 1 is not modified.
2) IKE phase 2 adds a new protocol ID,
       Protocol ID                         Value
       -----------                         -----
       RESERVED                            0
       PROTO_ISAKMP                        1
       PROTO_IPSEC_AH                      2
       PROTO_IPSEC_ESP                     3
       PROTO_IPCOMP                        4
       PROTO_IPSEC_ESP_OVER_UDP            X

This is used to send proposals for plain IPsec as well as ESPoverUDP
during the QM. As usual, the responder may use any proposal it wishes.
The proposal shall contain parameters that say which src/dst port/addresses
were used by the initiator when sending the IKE packet. If these differ
from those observed by the responder, there is a NAT acting between them,
and the responder SHOULD choose the ESP over UDP proposal.

Unlike draft-stenberg-ipsec-nat-traversal-00.txt, this method
does not leak information regarding the internal structure of the network,
because QM messages are encrypted.

We don't have patent applications regarding this, but I have no way
of knowing whether SSH has tried to patent some it.

--
Ari Huttunen                   phone: +358 9 859 900
Senior Software Engineer       fax  : +358 9 8599 0452

F-Secure Corporation       http://www.F-Secure.com

F-Secure products: Integrated Solutions for Enterprise Security

VPN is sponsored by SecurityFocus.COM



From thepicard at HOME.COM  Wed Jul 26 01:09:55 2000
From: thepicard at HOME.COM (The Picard)
Date: Wed, 26 Jul 2000 01:09:55 -0400
Subject: [slightly off-topic] SSL accelerators
In-Reply-To: <3.0.3.32.20000724181252.01feb340@pop3.indusriver.com>
Message-ID: <000201bff6bf$bdb7f7c0$dd5d7218@etob1.on.wave.home.com>

Hello all,

Can anyone comment on experiences with the hardware SSL accelerators on the
market? I looked at the specs for the following products (the list is in no
particular order):

Intel's NetStructure
Rainbow's Cryptoswift
nCipher's nFast
F5's BigIP SSL accelerators

However, real world experiences are worth in gold :-) Any feedback is
appreciated.

The target usage would be a smaller site (hosted on 1-2 IIS servers) having
entire sections encrypted. At peak times, several hundreds of users are
expected to be logged on (which doesn't mean they keep making transactions,
though).

Thank you.

VPN is sponsored by SecurityFocus.COM



From philipp at BUEHLER.DE  Wed Jul 26 07:59:52 2000
From: philipp at BUEHLER.DE (Philipp Buehler)
Date: Wed, 26 Jul 2000 13:59:52 +0200
Subject: OpenBSD Fwd:[ isakmpd INVALID_PAYLOAD_TYPE]
Message-ID: <20000726135952.A17428@pohl.fips.de>

----- Forwarded message from Philipp Buehler <lists at fips.de> -----

> Hello,
>
> I am testing on a little VPN, and have set up 2 2.7-Boxes.
> isakmpd.conf like in 'man vpn'. Starting in Debug is
> very messy [where are the classes documented?].
> While running I can see the IPsec entry in 'route -n show'
> but no packets can traverse and I can see:
>
> isakmpd: message_parse_payloads: invalid next payload type 180 in
>   payload of type 8
> isakmpd: dropped message from 192.168.1.1 port 500 due to notification
>  type INVALID_PAYLOAD_TYPE
>
> There is no ipf running, well, yes, but with accept all for now.
>
> Where to dig deeper?
>

----- End forwarded message -----
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>

%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.

VPN is sponsored by SecurityFocus.COM



From dcroxford at TICKETS.COM  Wed Jul 26 12:24:05 2000
From: dcroxford at TICKETS.COM (David Croxford)
Date: Wed, 26 Jul 2000 11:24:05 -0500
Subject: port security
Message-ID: <NEBBJKJAPMBNDPEMNDNKEEICCAAA.dcroxford@tickets.com>

our office is temporarily without a system administrator, and since I'm the
closest thing to one that we have...I've been elected to take care of things
for the time being.  anyways, a question about VPN and port security.  When
someone sets up a vpn client at home and is using a firewall there, is there
a specific port that VPN runs on with windows 98 that needs to be opened up?
The problem is, one of our support people has a cable modem and is trying to
connect, he initiates the connection and it times out.  Since I can connect
from home the same way, I'm assuming its something with his firewall..being
able to get out of his firewall, but nothing getting back in.  So, if
there's a specific port that VPN runs on...then he could just open his
firewall for that port and our VPN IP address.  any help would be
appreciated!!

David Croxford
Prologue Quality Assurance
QA Analyst - Tickets.com
608-236-1017
dcroxford at tickets.com

VPN is sponsored by SecurityFocus.COM



From rjn at US.RADGUARD.COM  Wed Jul 26 13:34:06 2000
From: rjn at US.RADGUARD.COM (Ran Nahmias)
Date: Wed, 26 Jul 2000 10:34:06 -0700
Subject: port security
In-Reply-To: <NEBBJKJAPMBNDPEMNDNKEEICCAAA.dcroxford@tickets.com>
Message-ID: <NDBBLMCJCLAGKJCJMEGGAEIPCEAA.rjn@us.radguard.com>

David,
Different VPNs uses different ports. The traditional protocols used for
IPSec are 50 and 51 and UDP port 500.
Many manufacturers (like us) have additional proprietary protocols for their
devices/clients/software.
There is also a significant problem with cable modems and routers doing
PPPoE (most IPSec appliances are not capable of handling it without expert
fine tuning).
I know it doesn't solve the problem but now you know you need a professional
advice :-)
Ran





-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of David
Croxford
Sent: Wednesday, July 26, 2000 9:24 AM
To: VPN at SECURITYFOCUS.COM
Subject: port security


our office is temporarily without a system administrator, and since I'm the
closest thing to one that we have...I've been elected to take care of things
for the time being.  anyways, a question about VPN and port security.  When
someone sets up a vpn client at home and is using a firewall there, is there
a specific port that VPN runs on with windows 98 that needs to be opened up?
The problem is, one of our support people has a cable modem and is trying to
connect, he initiates the connection and it times out.  Since I can connect
from home the same way, I'm assuming its something with his firewall..being
able to get out of his firewall, but nothing getting back in.  So, if
there's a specific port that VPN runs on...then he could just open his
firewall for that port and our VPN IP address.  any help would be
appreciated!!

David Croxford
Prologue Quality Assurance
QA Analyst - Tickets.com
608-236-1017
dcroxford at tickets.com

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From jrdepriest at FTB.COM  Wed Jul 26 13:58:22 2000
From: jrdepriest at FTB.COM (DePriest, Jason R.)
Date: Wed, 26 Jul 2000 12:58:22 -0500
Subject: port security
Message-ID: <AB4C55B3A9BAD1118E3D000629B2512201CE879D@exchange3.here4you.com>

I imagine it depends on the VPN product being used.
For PowerVPN, I was given the following requirements for ports that had to
be open:

TCP Port 420 (SMTP?)
UPD Port 500 (ISAKMP - Internet Security Association and Key Management
Protocol)
IP protocol 94 (IPIP - IP Encapsulation within IP)
IP protocol 50 (ESP - Encapsulated Security Payload)
IP protocol 51 (AH - Authentication Header)

I hope this at least gives you a place to start.

Thank you!

Jason R DePriest, Network and Systems Administrator
First Tennessee National Corporation
InterActive Services Department
ph: 901/523-5777, fax: 901/523-5527
email: jrdepriest at ftb.com

Disclaimer:
The views expressed in this message, while not necessarily the views of
First Tennessee, are none-the-less confidential and not to be freely
distributed to external sources without explicit permission from the sender
of this message or from First Tennessee National Corporation.

"I have never let my schooling interfere with my education."
- Mark Twain


=> -----Original Message-----
=> From: David Croxford [mailto:dcroxford at TICKETS.COM]
=> Sent: Wednesday, July 26, 2000 11:24 AM
=> To: VPN at SECURITYFOCUS.COM
=> Subject: port security
=>
=>
=> our office is temporarily without a system administrator,
=> and since I'm the
=> closest thing to one that we have...I've been elected to
=> take care of things
=> for the time being.  anyways, a question about VPN and port
=> security.  When
=> someone sets up a vpn client at home and is using a firewall
=> there, is there
=> a specific port that VPN runs on with windows 98 that needs
=> to be opened up?
=> The problem is, one of our support people has a cable modem
=> and is trying to
=> connect, he initiates the connection and it times out.
=> Since I can connect
=> from home the same way, I'm assuming its something with his
=> firewall..being
=> able to get out of his firewall, but nothing getting back in.  So, if
=> there's a specific port that VPN runs on...then he could
=> just open his
=> firewall for that port and our VPN IP address.  any help would be
=> appreciated!!
=>
=> David Croxford
=> Prologue Quality Assurance
=> QA Analyst - Tickets.com
=> 608-236-1017
=> dcroxford at tickets.com
=>
=> VPN is sponsored by SecurityFocus.COM
=>

VPN is sponsored by SecurityFocus.COM



From jdell at TELEPLACE.COM  Wed Jul 26 14:03:51 2000
From: jdell at TELEPLACE.COM (Jeffrey Dell)
Date: Wed, 26 Jul 2000 14:03:51 -0400
Subject: IPSec with PIX and Win2k
Message-ID: <92396D1409810F4193CE62753E99EBEF082A5D@tphqexch01.Teleplace.com>

Has anyone gotten IPSec to work with a PIX and windows 2k? I have tried many
different configurations but nothing works. During the isakmp process the
pix wants to use RSA for authentication but I have setup pre-shared keys.
Here is a piece that was taken from the Cisco reference that I have also
used for testing purposes. I would think that it would use pre-shared keys
for authentication. But when I look at the debug logging, I see that it is
using RSA for authentication instead of pre-shared. Has anyone else had this
problem? Thanks in advance,

Jeff

Protection suite of priority 20
        encryption algorithm:   DES - Data Encryption Standard (56 bit
keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit
keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

VPN is sponsored by SecurityFocus.COM



From smorison at TEXT100.COM.AU  Wed Jul 26 16:48:48 2000
From: smorison at TEXT100.COM.AU (Stephen Morison (TEXT100 AU))
Date: Thu, 27 Jul 2000 06:48:48 +1000
Subject: port security
Message-ID: <DEDB5F8C591BD41192E400B0D02218730976@TXTAUEXC>

I have found here (in australia)that Cable providors use heart beat packets
to see if the computer is still online/responding. if the packet is not
returned within X number of minutes the connection is terminated.

Personal Firewalls shouldn't have a problem as the connection is started
from the secure side  of the firewall.


Regards
Stephen



-----Original Message-----
From: David Croxford
To: VPN at SECURITYFOCUS.COM
Sent: 27/07/00 2:24
Subject: port security

our office is temporarily without a system administrator, and since I'm
the
closest thing to one that we have...I've been elected to take care of
things
for the time being.  anyways, a question about VPN and port security.
When
someone sets up a vpn client at home and is using a firewall there, is
there
a specific port that VPN runs on with windows 98 that needs to be opened
up?
The problem is, one of our support people has a cable modem and is
trying to
connect, he initiates the connection and it times out.  Since I can
connect
from home the same way, I'm assuming its something with his
firewall..being
able to get out of his firewall, but nothing getting back in.  So, if
there's a specific port that VPN runs on...then he could just open his
firewall for that port and our VPN IP address.  any help would be
appreciated!!

David Croxford
Prologue Quality Assurance
QA Analyst - Tickets.com
608-236-1017
dcroxford at tickets.com

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From sbest at BEST.COM  Wed Jul 26 17:28:54 2000
From: sbest at BEST.COM (Scott Best)
Date: Wed, 26 Jul 2000 14:28:54 -0700
Subject: Any experience with Openreach?
Message-ID: <Pine.BSF.4.21.0007261424180.17877-100000@shell6.ba.best.com>

	Am curious if anyone's had any experience with
Openreach's (www.openreach.com) VPN product? Saw their
press release yesterday, and I tried to download their
"open source IPSec" solution, and (once I got a machine
running with he (grrr) required IE5) I couldn't seem
to find *where* on their website the downloads are.
I think its behind a login/password region, but then I
couldn't find how to register for a login...
	It *sounds* like FreeSWAN fit into an LRP
distribution...but I'd like to know for sure.
	Thanks in advance!

-Scott

VPN is sponsored by SecurityFocus.COM



From Joe.M.Hoffman at MAIL.SPRINT.COM  Wed Jul 26 17:53:21 2000
From: Joe.M.Hoffman at MAIL.SPRINT.COM (Joe M Hoffman)
Date: Wed, 26 Jul 2000 16:53:21 -0500
Subject: comparison of Check Point Secure Remote VPN and Nortels VPN Client
Message-ID: <H000031f0a518c21.0964648399.kcopmp04@MHS>

Has anyone done a comparison of Chek Point Secure Remote/Secure Client
and
Nortels VPN client ? If so would it be possible for you to point me to
or send me the
information please.

Thanks,

Joseph M. Hoffman, CCSA, CCSE, B.A.
Network Security Engineer III
Sprint Corporate Security
(913)624-2535
1-800-724-3329 pin 3834675
mail stop: KSWESA0116


From priyank at COLLEGECLUB.COM  Wed Jul 26 19:46:19 2000
From: priyank at COLLEGECLUB.COM (priyank at COLLEGECLUB.COM)
Date: Wed, 26 Jul 2000 23:46:19 -0000
Subject: VPN Problem, NEED HELP
Message-ID: <20000726234619.17469.qmail@securityfocus.com>

Need some help regarding VPN.
 I have a VPN setup, between two sites. Site B connects to 
Site A, through VPN (SKIP IPsec), and then can go to the 
internet. All works fine.
 For except some sites, for eg: www.fbi.gov

Can someone help regarding this matter.

Thanks

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Wed Jul 26 19:55:19 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Wed, 26 Jul 2000 16:55:19 -0700
Subject: [slightly off-topic] SSL accelerators
References: <000201bff6bf$bdb7f7c0$dd5d7218@etob1.on.wave.home.com>
Message-ID: <397F7A67.2DEB7A17@pacbell.net>

The Picard wrote:
>
> Hello all,
>
> Can anyone comment on experiences with the hardware SSL accelerators on the
> market? I looked at the specs for the following products (the list is in no
> particular order):
>
Hello there;

Well, I have used the Intel Ipivots that are the same as the
NetStructure, and have the rainbow asics on them.
I like the Ipivots however if you want to do Server Load Balancing
with another appliance it can be very problematic because then
your SLB appliance will have health checks that are not true.

Another issue is that the device [IPivot] is a L2 device does not have
an IP address therefore you can't monitor  :-[

Rainbow's are the way to go I will say..

Also have to take into consideration the feature set that you want.
Like back end SLB, outbound NAT, and several other possible
combinations.

Hope this helps!

Jose Muniz.

> Intel's NetStructure
> Rainbow's Cryptoswift
> nCipher's nFast
> F5's BigIP SSL accelerators
>
> However, real world experiences are worth in gold :-) Any feedback is
> appreciated.
>
> The target usage would be a smaller site (hosted on 1-2 IIS servers) having
> entire sections encrypted. At peak times, several hundreds of users are
> expected to be logged on (which doesn't mean they keep making transactions,
> though).
>
> Thank you.
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Wed Jul 26 19:59:20 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Wed, 26 Jul 2000 16:59:20 -0700
Subject: port security
References: <NEBBJKJAPMBNDPEMNDNKEEICCAAA.dcroxford@tickets.com>
Message-ID: <397F7B58.D493FF5F@pacbell.net>

If it is IPSec
IKE  udp500
ESP IP protocol 50
AH  IP Protocol 51

If it is not IPSec then deploy IPSec before the Sys Admin
comes back from his vacation...

Jose Muniz

David Croxford wrote:
>
> our office is temporarily without a system administrator, and since I'm the
> closest thing to one that we have...I've been elected to take care of things
> for the time being.  anyways, a question about VPN and port security.  When
> someone sets up a vpn client at home and is using a firewall there, is there
> a specific port that VPN runs on with windows 98 that needs to be opened up?
> The problem is, one of our support people has a cable modem and is trying to
> connect, he initiates the connection and it times out.  Since I can connect
> from home the same way, I'm assuming its something with his firewall..being
> able to get out of his firewall, but nothing getting back in.  So, if
> there's a specific port that VPN runs on...then he could just open his
> firewall for that port and our VPN IP address.  any help would be
> appreciated!!
>
> David Croxford
> Prologue Quality Assurance
> QA Analyst - Tickets.com
> 608-236-1017
> dcroxford at tickets.com
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From MuniX-1 at PACBELL.NET  Wed Jul 26 19:56:35 2000
From: MuniX-1 at PACBELL.NET (Jose Muniz)
Date: Wed, 26 Jul 2000 16:56:35 -0700
Subject: OpenBSD Fwd:[ isakmpd INVALID_PAYLOAD_TYPE]
References: <20000726135952.A17428@pohl.fips.de>
Message-ID: <397F7AB3.DB35789E@pacbell.net>

Fragmentation problem..

Jose Muniz

Philipp Buehler wrote:
>
> ----- Forwarded message from Philipp Buehler <lists at fips.de> -----
>
> > Hello,
> >
> > I am testing on a little VPN, and have set up 2 2.7-Boxes.
> > isakmpd.conf like in 'man vpn'. Starting in Debug is
> > very messy [where are the classes documented?].
> > While running I can see the IPsec entry in 'route -n show'
> > but no packets can traverse and I can see:
> >
> > isakmpd: message_parse_payloads: invalid next payload type 180 in
> >   payload of type 8
> > isakmpd: dropped message from 192.168.1.1 port 500 due to notification
> >  type INVALID_PAYLOAD_TYPE
> >
> > There is no ipf running, well, yes, but with accept all for now.
> >
> > Where to dig deeper?
> >
>
> ----- End forwarded message -----
> --
> Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>
>
> %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
> Artificial Intelligence stands no chance against Natural Stupidity.
>
> VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From rfrancis at MINDSPRING.COM  Wed Jul 26 21:57:13 2000
From: rfrancis at MINDSPRING.COM (Rick Francis)
Date: Wed, 26 Jul 2000 20:57:13 -0500
Subject: m$ vpn solution
References: <NEBBJKJAPMBNDPEMNDNKEEICCAAA.dcroxford@tickets.com>
Message-ID: <019a01bff76d$fca6d0b0$4fa9aec7@mindspring.com>

i'm looking for comments, leads, references regarding m$ 2000 vpn solution.
any takers?

VPN is sponsored by SecurityFocus.COM



From rfrancis at MINDSPRING.COM  Wed Jul 26 22:53:27 2000
From: rfrancis at MINDSPRING.COM (Rick Francis)
Date: Wed, 26 Jul 2000 21:53:27 -0500
Subject: udp vpn support
Message-ID: <034901bff775$dd1c0aa0$4fa9aec7@mindspring.com>

which vpn solutions support udp, and why is obscure for today? thank you.

VPN is sponsored by SecurityFocus.COM



From sandy at STORM.CA  Thu Jul 27 09:56:42 2000
From: sandy at STORM.CA (Sandy Harris)
Date: Thu, 27 Jul 2000 09:56:42 -0400
Subject: Any experience with Openreach?
References: <Pine.BSF.4.21.0007261424180.17877-100000@shell6.ba.best.com>
Message-ID: <39803F9A.4F49C9A1@storm.ca>

Scott Best wrote:
>
>         Am curious if anyone's had any experience with
> Openreach's (www.openreach.com) VPN product? ...

>         It *sounds* like FreeSWAN fit into an LRP
> distribution...but I'd like to know for sure.

If you find out, please let me know. I write the
FreeS/WAN docs and have a list of people doing
that type of thing. They aren't (yet?) on it.

My current list of firewall/vpn products using
FreeS/WAN is:
	http://www.lasat.com
	http://www.rebel.com/solutions/smb/rn-what.html
	http://www.linuxmagic.com/vpn/index.html

VPN is sponsored by SecurityFocus.COM



From lists at FIPS.DE  Thu Jul 27 07:36:43 2000
From: lists at FIPS.DE (Philipp Buehler)
Date: Thu, 27 Jul 2000 13:36:43 +0200
Subject: OpenBSD Fwd:[ isakmpd INVALID_PAYLOAD_TYPE]
In-Reply-To: <397F7AB3.DB35789E@pacbell.net>; "Jose Muniz" on 27.07.2000 @
              01:56:35 METDST
References: <20000726135952.A17428@pohl.fips.de> <397F7AB3.DB35789E@pacbell.net>
Message-ID: <20000727133643.A22888@pohl.fips.de>

Jose Muniz wrote To Philipp Buehler:
> Fragmentation problem..
Uhm, the boxes are on the same Ethernet Segment :]

ciao
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>

%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.

VPN is sponsored by SecurityFocus.COM



From cindy_slosar at YAHOO.CA  Thu Jul 27 14:27:45 2000
From: cindy_slosar at YAHOO.CA (Cindy Slosar)
Date: Thu, 27 Jul 2000 14:27:45 -0400
Subject: Firewall software
Message-ID: <20000727182745.25978.qmail@web1504.mail.yahoo.com>

Hi all,

I have a VPN setup using two Win2K Server computers.
Can anyone recommend compatible firewall software that
would be installed on each Win2K Server machine and
that is reasonably priced?

Thanks in advance,
Cindy

_______________________________________________________
Do You Yahoo!?
Get your free @yahoo.ca address at http://mail.yahoo.ca

VPN is sponsored by SecurityFocus.COM



From juan-jim at UNIANDES.EDU.CO  Thu Jul 27 11:54:22 2000
From: juan-jim at UNIANDES.EDU.CO (Juan Diego Jimenez Leon)
Date: Thu, 27 Jul 2000 10:54:22 -0500
Subject: about better network's perfomance using encryption
Message-ID: <39805B2E.ADA86228@uniandes.edu.co>

In T1 (1.544 Mb/seg )networks or highers working with packets of 64
bytes there is a big problem with their lost. I've listened about a
protocol L2Z for compressing before encrypting, i would like to know if
somebody knows about another possibility for solving this problem and
where i can get information about this.

I'm interested too in information about better network's perfomance
using encryption.

Thanks!!

VPN is sponsored by SecurityFocus.COM



From sthota at BITMOTEL.COM  Fri Jul 28 10:00:51 2000
From: sthota at BITMOTEL.COM (Seshu)
Date: Fri, 28 Jul 2000 10:00:51 -0400
Subject: SSl session
Message-ID: <39819213.F272B7C2@bitmotel.com>

Hi All,

I have a basic question. Are there other means than using certificates
for establishing SSL session between web server and web browser ? I
believe there is none. Can some one pl. clarify?

Seshu

VPN is sponsored by SecurityFocus.COM



From jason.zann at MARYVILLE.COM  Fri Jul 28 12:41:01 2000
From: jason.zann at MARYVILLE.COM (Jason Zann)
Date: Fri, 28 Jul 2000 11:41:01 -0500
Subject: about better network's perfomance using encryption
Message-ID: <C36304FE952AD411AC870020941203383C9E1E@MTMAIL>

I have run into this issue before and I have found an alternative that is a
little bit 'out of the box'. There is a company by the name of Kovertsoft
(http://www.kovertsoft.com) that offers a proprietary way of data transfer
over a technology called 'smart pipes'. Their play offers very high speeds
at a very low price. With their method of data transfer, there is an
inherent method of security that occurs... very similar to phasing in the
satellite world. I can see this as a very good alternative if you have allot
of data that needs to be transferred between two points that you control,
but not exactly beneficial to very open standard environments (i.e. internet
based encryption needs).

-----Original Message-----
From: Juan Diego Jimenez Leon
To: VPN at SECURITYFOCUS.COM
Sent: 7/27/00 10:54 AM
Subject: about better network's perfomance using encryption

In T1 (1.544 Mb/seg )networks or highers working with packets of 64
bytes there is a big problem with their lost. I've listened about a
protocol L2Z for compressing before encrypting, i would like to know if
somebody knows about another possibility for solving this problem and
where i can get information about this.

I'm interested too in information about better network's perfomance
using encryption.

Thanks!!

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Sun Jul 30 03:11:25 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Sun, 30 Jul 2000 09:11:25 +0200
Subject: about better network's perfomance using encryption
In-Reply-To: <39805B2E.ADA86228@uniandes.edu.co>
Message-ID: <4.2.0.58.20000730090832.00a53870@brussels.cisco.com>

There is indeed a protocol called IP Payload Compression Protocol
that can compress a layer 3 payload before encryption. It is even
being implemented ;-)

BUT:
1) small packets of 64 bytes are too small to be compressed
2) as the compression dictionary is per packet (a important fact
    when comparing to layer 1/2 compressions like MNP.5, STAC, ...)
    the compression ratio is rather small (I have heard figures
    around 1.3-1.5 ratio)
3) compression is also requested a big amount of CPU...

Just my 0.01 EUR

-eric

At 10:54 27/07/2000 -0500, Juan Diego Jimenez Leon wrote:
>In T1 (1.544 Mb/seg )networks or highers working with packets of 64
>bytes there is a big problem with their lost. I've listened about a
>protocol L2Z for compressing before encrypting, i would like to know if
>somebody knows about another possibility for solving this problem and
>where i can get information about this.
>
>I'm interested too in information about better network's perfomance
>using encryption.
>
>Thanks!!
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From evyncke at CISCO.COM  Sun Jul 30 14:30:08 2000
From: evyncke at CISCO.COM (Eric Vyncke)
Date: Sun, 30 Jul 2000 20:30:08 +0200
Subject: IPSec with PIX and Win2k
In-Reply-To: <92396D1409810F4193CE62753E99EBEF082A5D@tphqexch01.Teleplac e.com>
Message-ID: <4.2.0.58.20000730202651.00a285c0@brussels.cisco.com>

Jeffrey,

AFAIK, Win2K is using per default IPSec in transport mode with L2TP.
PIX is only IPSec tunnel mode. So, there is probably a mismatch
here...

Else, I'm quite confident that the PIX will propose and accept a pre-shared
key with your configuration. I've done it a couple of time.

Just my 0.01 EUR

-eric

At 14:03 26/07/2000 -0400, Jeffrey Dell wrote:
>Has anyone gotten IPSec to work with a PIX and windows 2k? I have tried many
>different configurations but nothing works. During the isakmp process the
>pix wants to use RSA for authentication but I have setup pre-shared keys.
>Here is a piece that was taken from the Cisco reference that I have also
>used for testing purposes. I would think that it would use pre-shared keys
>for authentication. But when I look at the debug logging, I see that it is
>using RSA for authentication instead of pre-shared. Has anyone else had this
>problem? Thanks in advance,
>
>Jeff
>
>Protection suite of priority 20
>         encryption algorithm:   DES - Data Encryption Standard (56 bit
>keys).
>         hash algorithm:         Message Digest 5
>         authentication method:  Pre-Shared Key
>         Diffie-Hellman group:   #1 (768 bit)
>         lifetime:               86400 seconds, no volume limit
>Default protection suite
>         encryption algorithm:   DES - Data Encryption Standard (56 bit
>keys).
>         hash algorithm:         Secure Hash Standard
>         authentication method:  Rivest-Shamir-Adleman Signature
>         Diffie-Hellman group:   #1 (768 bit)
>         lifetime:               86400 seconds, no volume limit
>
>VPN is sponsored by SecurityFocus.COM

Eric Vyncke
Senior Consulting Engineer         Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke at cisco.com          Mobile: +32-75-312.458

VPN is sponsored by SecurityFocus.COM



From carlsonmail at YAHOO.COM  Fri Jul 28 09:47:26 2000
From: carlsonmail at YAHOO.COM (Chris Carlson)
Date: Fri, 28 Jul 2000 06:47:26 -0700
Subject: comparison of Check Point Secure Remote VPN and Nortels VPN
              Client
Message-ID: <20000728134726.29103.qmail@web2304.mail.yahoo.com>

I'd expect that they'll always be religious arguments
on what software is better that another.  That being
said, here's my two cents...

The Nortel VPN client (I assume you mean Contivity)
and Check Point have much overlap, but have enough
differences to warrant discussion.

Check Point's SecuRemote is part of their overall
Secure Virtual Network (SVN) concept, where multiple
firewalls, client authentication, host-level
authentication/firewall/encryption, VPNs, policy
management, DHCP, and DHCP-to-PDC authentication all
tie up into single, unified platform.  Quite a big
task, and not without risk.

The SecuRemote client itself, I belive, isn't
particularly flexible.  It performs based on how Check
Point thinks remote users should behave.  For example,
every client always does split-tunnelling (corporate
traffic goes down the tunnel while Internet traffic
goes out directly to the Internet) with no option to
turn it off.  That means that if you have a network on
your internal net that is the same as on the Internet,
it'll break.  Also, if you don't correctly configure
all the multiple nets you may have behind your
firewall, the user won't be able to tunnel there.  One
customer of mine had 45 different subnets because of
all the acquisitions they did.  Imagine trying to
*manually* keep track of those nets while setting up
Check Point's encryption domain.

Something else, Check Point can't push down internal
DNS or WINS information from the server to the client.
 That means that you have to manually enter this
information into the dial-up adapter of *every* user
you have, and you better pray that you don't change it
later on.

Those are the two biggest gotchas I found.  On the
plus side, Check Point has a version of SecuRemote
called SecureClient that has a built-in,
server-controlled firewall on the client machine.
This is very useful for your users that have DSL or
cable modems.

As for Nortel, it does do dedicated tunnelling
(forcing all traffic down the tunnel) or
split-tunnelling (but it's a little kludgy), and
supports server-side configuration of DNS and WINS (in
addition to IP address, subnet, DNS subdomain, and DNS
search path) to the client all managed in a LDAP
directory.  It seamlessly ties into RADIUS and LDAP
and has an easily customizable, pre-configured client,
perfect for large corporate deployments.

However, the Nortel Contivity product is ONLY a VPN
device.  Though you can install Check Point on it
(?!), the Nortel VPN doens't integrate with the Check
Point FireWall-1 module.  If you want a dedicated VPN
box, then I'd recommend Nortel.

If you want a Firewall/VPN architecture, then I'd
recommend you keep looking.  While Check Point has an
all-in-one deployment, there's enough gotchas to make
deploying a huge number of clients a management
nightmare down the road... unless they radically
change how they're doing things.

A number of my clients have a hybrid deployment, they
picked the best firewall platform and the best VPN
platform for their needs.  If it wasn't the same,
that's fine, unless your driving factor is a unified
security architecture.  I believe that it's painless
enough to integrate best-of-breed products together
for a good enough overall solution, while really
excelling at those points that matter: remote user
VPNs, application-level authentication, etc.

I'd heartily recommend an in-depth field trial before
you deploy any VPN solution.  It's only after you have
your installed base up and working do you realize that
there could be something majorly wrong.  And with any
VPN client deployment, once you have tens, hundreds,
or thousands of clients out in the field, it'll be
next to impossible to change or upgrade them.

Good luck!
Chris
--


--- Joe M Hoffman <Joe.M.Hoffman at MAIL.SPRINT.COM>
wrote:
> Has anyone done a comparison of Chek Point Secure
> Remote/Secure Client
> and
> Nortels VPN client ? If so would it be possible for
> you to point me to
> or send me the
> information please.
>
> Thanks,
>
> Joseph M. Hoffman, CCSA, CCSE, B.A.
> Network Security Engineer III
> Sprint Corporate Security
> (913)624-2535
> 1-800-724-3329 pin 3834675
> mail stop: KSWESA0116
>
>


__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

VPN is sponsored by SecurityFocus.COM



From mark at MOTLEYNET.COM  Sat Jul 29 23:35:31 2000
From: mark at MOTLEYNET.COM (Mark Motley)
Date: Sat, 29 Jul 2000 20:35:31 -0700
Subject: FW-1, StoneBeat FullCluster, and IPSec
Message-ID: <F1020E270C38D311840D00A0249C5A53017587@naboo>

Hi all,

Has anybody done network-to-network VPNs under the following conditions:

Left side:
- CheckPoint Firewall-1 4.1 SP1
- Stonebeat Full Cluster 2.0
- Solaris 7

Right side:
- Cisco 3620 router running IOS 12.0(7)T 3DES

The IOS piece is under control, since it works like a champ to a Nortel
Contivity by merely changing the peer statement in the crypto map.

I think the main problem I'm having is with the StoneBeat FullCluster
software.  Both ISAKMP SAs and IPSec SAs are established, no problem.  When
I send traffic across, I see a "decrypt" in the FW-1 logs, but I never see
an "encrypt" going back.  I've verified my inside routing (and even verified
that traffic was getting to the firewall with a Sniffer). It's almost like
the firewall is never seeing the return packet, since I get no long entries
at all even when turning on long logging on all my rules.

At this point, I'm trying to get the VPN working from the router to one of
the firewalls in the cluster (using it's real address, not the FullCluster
address).  I'm doing this for both the outside (using the real address as my
peer) and the inside (pointing my static route to the right-side subnet to
the real address).  I have added what I think are the appropriate "tunnel="
statement to my filter.conf, but the documentation is rather vague here.

Any ideas are appreciated...

- MBM

VPN is sponsored by SecurityFocus.COM



From lcramer at OPENREACH.COM  Mon Jul 31 14:31:04 2000
From: lcramer at OPENREACH.COM (Lori Cramer)
Date: Mon, 31 Jul 2000 14:31:04 -0400
Subject: VPN Traffic Estimation
Message-ID: <LPBBKBKHPBFJOIJAHMALMEHCCIAA.lcramer@openreach.com>

> Has anyone heard of a general guideline or tool which will help to
estimate what
> percentage of your traffic will be VPN (assuming split-tunnelling is being
> used, whereas the remainder of the traffic would be clear-text Web
access).

Thank you!
Lori

VPN is sponsored by SecurityFocus.COM



From rory.browne at TELLABS.COM  Mon Jul 31 15:22:50 2000
From: rory.browne at TELLABS.COM (Rory Browne)
Date: Mon, 31 Jul 2000 20:22:50 +0100
Subject: Network-Based VPN Provisioning
Message-ID: <005c01bffb24$bba06a30$681e12ac@rorybrowne.tellabs.com>

Greetings!

Does anyone have a feel for the ease of IP VPN provisioning (and management,
fault handling in general) available to Carriers.
To me there are a few options. Nortels Shasta, Cosine, Lucent (Xedia +
Springtide). I have also heard that Orchestream integrates with Cisco very
well. If anyone has experience of which of these really works, and which is
hype, I'd be grateful for an opinion.

Rory


-----Original Message-----
From: sthota at BITMOTEL.COM <sthota at BITMOTEL.COM>
To: VPN at SECURITYFOCUS.COM <VPN at SECURITYFOCUS.COM>
Date: 31 July 2000 20:15
Subject: SSl session


>Hi All,
>
>I have a basic question. Are there other means than using certificates
>for establishing SSL session between web server and web browser ? I
>believe there is none. Can some one pl. clarify?
>
>Seshu
>
>VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM



From rory.browne at TELLABS.COM  Mon Jul 31 18:51:29 2000
From: rory.browne at TELLABS.COM (Rory Browne)
Date: Mon, 31 Jul 2000 23:51:29 +0100
Subject: Network-Based VPN Provisioning
Message-ID: <004c01bffb41$de2a3fa0$641e12ac@rorybrowne.tellabs.com>

Thanks. that is a good site for security features across vendors, but its a more global issue I'm interested in
I think the key topic of the whole IP VPN area (as far as Carriers are concerned) is ease of provisioning and management. That means time to market.
Just wondered if people had good or bad experiences.

BR
Rory
    -----Original Message-----
    From: SJanita at netscreen.com <SJanita at netscreen.com>
    To: Rory.Browne at tellabs.com <Rory.Browne at tellabs.com>
    Date: 31 July 2000 22:48
    Subject: RE: Network-Based VPN Provisioning
    
    
    Rory, 

    If you're looking for interoperability between VPN systems, goto: 

     http://www.icsa.net/html/communities/ipsec/certification/certified_products/index.shtml 

    which will give you a listing of ICSA certified systems and will also provide a compatibility matrix of products from different vendors. Hope this helps. 

    -----Original Message----- 
    From: Rory Browne [mailto:rory.browne at TELLABS.COM] 
    Sent: Monday, July 31, 2000 12:23 PM 
    To: VPN at SECURITYFOCUS.COM 
    Subject: Network-Based VPN Provisioning 

    
    
    Greetings! 

    Does anyone have a feel for the ease of IP VPN provisioning (and management, 
    fault handling in general) available to Carriers. 
    To me there are a few options. Nortels Shasta, Cosine, Lucent (Xedia + 
    Springtide). I have also heard that Orchestream integrates with Cisco very 
    well. If anyone has experience of which of these really works, and which is 
    hype, I'd be grateful for an opinion. 

    Rory 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000731/25b9189d/attachment.htm 

From ray at UNIXPAC.COM.AU  Mon Jul 31 18:59:08 2000
From: ray at UNIXPAC.COM.AU (Raymond Banfield)
Date: Tue, 1 Aug 2000 08:59:08 +1000
Subject: comparison of Check Point Secure Remote VPN and Nortels
              VPNClient
References: <20000728134726.29103.qmail@web2304.mail.yahoo.com>
Message-ID: <398604BC.8EE92C75@unixpac.com.au>

have you considered looking at Raptor.
It comes in a couple of flavours, to do with your Firewall/VPN Needs.
It can be a dedicated VPN Server, (which is locked down for some
firewall security) or it can be the firewall with the VPN integrated.

Raptors Power VPN, can be simple to install once you get used to it, and
once you have done one install you can do many.

there is a field to add what the DNS Wins address will be to give to the
remote client.

You can also group more then one subnet into the rules, so if you need
to add another subnet, you add it to the group and it is then in the
rules already.

Once a client is set up in a way you know works for the configuration
you need, it is simple to replicate that for other users.

The remote client also will lock down other protocols and activities if
you wish.

worth a look.

Ray

Chris Carlson wrote:

> I'd expect that they'll always be religious arguments
> on what software is better that another.  That being
> said, here's my two cents...
>
> The Nortel VPN client (I assume you mean Contivity)
> and Check Point have much overlap, but have enough
> differences to warrant discussion.
>
> Check Point's SecuRemote is part of their overall
> Secure Virtual Network (SVN) concept, where multiple
> firewalls, client authentication, host-level
> authentication/firewall/encryption, VPNs, policy
> management, DHCP, and DHCP-to-PDC authentication all
> tie up into single, unified platform.  Quite a big
> task, and not without risk.
>
> The SecuRemote client itself, I belive, isn't
> particularly flexible.  It performs based on how Check
> Point thinks remote users should behave.  For example,
> every client always does split-tunnelling (corporate
> traffic goes down the tunnel while Internet traffic
> goes out directly to the Internet) with no option to
> turn it off.  That means that if you have a network on
> your internal net that is the same as on the Internet,
> it'll break.  Also, if you don't correctly configure
> all the multiple nets you may have behind your
> firewall, the user won't be able to tunnel there.  One
> customer of mine had 45 different subnets because of
> all the acquisitions they did.  Imagine trying to
> *manually* keep track of those nets while setting up
> Check Point's encryption domain.
>
> Something else, Check Point can't push down internal
> DNS or WINS information from the server to the client.
>  That means that you have to manually enter this
> information into the dial-up adapter of *every* user
> you have, and you better pray that you don't change it
> later on.
>
> Those are the two biggest gotchas I found.  On the
> plus side, Check Point has a version of SecuRemote
> called SecureClient that has a built-in,
> server-controlled firewall on the client machine.
> This is very useful for your users that have DSL or
> cable modems.
>
> As for Nortel, it does do dedicated tunnelling
> (forcing all traffic down the tunnel) or
> split-tunnelling (but it's a little kludgy), and
> supports server-side configuration of DNS and WINS (in
> addition to IP address, subnet, DNS subdomain, and DNS
> search path) to the client all managed in a LDAP
> directory.  It seamlessly ties into RADIUS and LDAP
> and has an easily customizable, pre-configured client,
> perfect for large corporate deployments.
>
> However, the Nortel Contivity product is ONLY a VPN
> device.  Though you can install Check Point on it
> (?!), the Nortel VPN doens't integrate with the Check
> Point FireWall-1 module.  If you want a dedicated VPN
> box, then I'd recommend Nortel.
>
> If you want a Firewall/VPN architecture, then I'd
> recommend you keep looking.  While Check Point has an
> all-in-one deployment, there's enough gotchas to make
> deploying a huge number of clients a management
> nightmare down the road... unless they radically
> change how they're doing things.
>
> A number of my clients have a hybrid deployment, they
> picked the best firewall platform and the best VPN
> platform for their needs.  If it wasn't the same,
> that's fine, unless your driving factor is a unified
> security architecture.  I believe that it's painless
> enough to integrate best-of-breed products together
> for a good enough overall solution, while really
> excelling at those points that matter: remote user
> VPNs, application-level authentication, etc.
>
> I'd heartily recommend an in-depth field trial before
> you deploy any VPN solution.  It's only after you have
> your installed base up and working do you realize that
> there could be something majorly wrong.  And with any
> VPN client deployment, once you have tens, hundreds,
> or thousands of clients out in the field, it'll be
> next to impossible to change or upgrade them.
>
> Good luck!
> Chris
> --
>
> --- Joe M Hoffman <Joe.M.Hoffman at MAIL.SPRINT.COM>
> wrote:
> > Has anyone done a comparison of Chek Point Secure
> > Remote/Secure Client
> > and
> > Nortels VPN client ? If so would it be possible for
> > you to point me to
> > or send me the
> > information please.
> >
> > Thanks,
> >
> > Joseph M. Hoffman, CCSA, CCSE, B.A.
> > Network Security Engineer III
> > Sprint Corporate Security
> > (913)624-2535
> > 1-800-724-3329 pin 3834675
> > mail stop: KSWESA0116
> >
> >
>
> __________________________________________________
> Do You Yahoo!?
> Kick off your party with Yahoo! Invites.
> http://invites.yahoo.com/
>
> VPN is sponsored by SecurityFocus.COM

--
Raymond Banfield
Unixpac Group of Companies            Level 3 / 339 Military Rd
email: ray at unixpac.com.au               Cremorne, N.S.W. 2090
Web: http://www.unixpac.com.au      Australia
Web: http://www.best.net.au             Ph:  + 61 2 9953 8366
Web: http://www.linuxplaza.com.au   Fax: + 61 2 9953 5875

VPN is sponsored by SecurityFocus.COM



From Michael.Medwid at ARIBA.COM  Mon Jul 31 20:59:27 2000
From: Michael.Medwid at ARIBA.COM (Michael Medwid)
Date: Mon, 31 Jul 2000 17:59:27 -0700
Subject: 128 bit PPTP Encryption and NAT
Message-ID: <271DE2625FD4D311949B009027F43B9F01A9B7C1@us-mtvmail2.ariba.com>

Should there be any incompatibility between 128 bit PPTP encryption
and users behind a NATted environment?  My Altiga (Cisco 3030) seems to kick
off the tunnels if they were originated from a NATted environment.  Cisco
TAC didn't have too much to say on the whole thing other than "uh yeah that
won't work."  Thanks for any insight.

-Michael

VPN is sponsored by SecurityFocus.COM