From evyncke at cisco.com Mon Oct 1 10:34:09 2001 From: evyncke at cisco.com (Eric Vyncke) Date: Mon, 01 Oct 2001 16:34:09 +0200 Subject: [vpn] VPN Question In-Reply-To: Message-ID: <4.3.2.7.2.20011001161325.01fbe7f8@brussels.cisco.com> Guy See in-line: At 22:04 28/09/2001 +0100, Raymakers, Guy wrote: >Eric, > >When you mention the large scale VPN's : 1000 to 2000, I've some questions >about it : >what devices where used centrally and how many ? I assume that if Cisco >71xx or 72xx's where used that +- 4 to 8 central systems ,at least, are in >place .... what would be your recommended routing protocol in these cases >(BGP, OSPF ...) between the central and remote routers ? Actually, most of those large scale IPSec deployments are based on the usual three tier architecture (like any plain network): access, distribution and core. Those IPSec networks were for banks with a hierarchical topology: - branches to regional sites - regional sites to a couple of centralized data centers This usually reduces the fan-out factor to 100-200 branches per regional sites which translates into 2 routers at the branches (mainly for resilience purposes). The routing protocol used was OSPF or EIGRP with all the bag of tricks and guidelines for those protocols (like address summarization, tuning the hello timers, ...). >Also, I got the following performance stats from Cisco : >C7120 with 700 tunnels using GRE/IPSEC with 3DES and SHA + IKE keepalive >could pull 60 Mbps as total throughput with large packetsizes .... can you >confirm this ? It will of course depends on the CPU load and which kind of IPSec acceleration module is used... The new VAM card on a 7200vxr with NPE-400 can encrypt large packets with GRE encapsulation and 3DES IPSec at more than 120 Mbps. Please note: 1) it really depends on the traffic mix and on the IPSec transforms 2) I would be reluctant to have more that 700 IKE peers on the same router (if you loose this router, you will loose connectivity to a lot of peer IF you do not have resiliency added to the design) Hope this helps -eric >Thanks, >Guy > >-----Original Message----- >From: Eric Vyncke [mailto:evyncke at cisco.com] >Sent: vrijdag 28 september 2001 8:49 >To: Dana J. Dawson >Cc: 'vpn at securityfocus.com' >Subject: Re: [vpn] VPN Question > > >Dana and Guy, > >At 13:27 27/09/2001 -0500, Dana J. Dawson wrote: > >The knowledgeable VPN people I've spoken to at Cisco recommend a max of >around > >200 - 250 remote peers per 7100 router in an actual production environment. > >That doesn't mean you can't configure 500 or more peers, but it implies to >me > >that the farther you go the more you're pushing your luck. Personally, > >I'm not > >sure I'd want several hundred remote sites to terminate in a single box > >even if > >it could, since that's a pretty big single point of failure. > > >You are fully right, you should limit the number of IKE peer to about 250 >with the 71xx or 72xx router with the ISA or ISM. (it is possible that the >new VAM accelerator will boost this number). This 250 peers is real life >figure where lines are going up and down, routers lost power and reload, ... > >Also, do not forget that you should run GRE + routing protocol to achieve a >scalable resilience as well as an easy configuration. And, the routing >protocols (OSPF, ...) have also their own limitations. Do not forget the >last letter of VPN stands for Network ;-) so you need to use the usual >routing bag of tricks like address summarization, ... > >Actually, I know a couple of VPN deployed with 1000 and even 2000 routers >in the same VPN. All are using IPSec + GRE + routing protocols. > >Hope this helps > >-eric > > > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Mon Oct 1 10:59:38 2001 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Mon, 1 Oct 2001 09:59:38 -0500 Subject: [vpn] Cisco 3002 Hardware client and single use passcodes Message-ID: Greetings, I am taking a look at Cisco's 3002 hardware client, and am wondering if it is possible to use SecurID or Cryptocard tokens with this box? It appears to me that it is not possible. If anyone has done this, your input would be greatly appreciated... Patrick A. Bryan Sr. Systems Analyst Abbott Laboratories Worldwide Network Security Group VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Mon Oct 1 16:18:48 2001 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Mon, 1 Oct 2001 15:18:48 -0500 Subject: [vpn] Cisco 3002 Hardware client and single use passcodes Message-ID: How about like this? C3002 --> RADIUS --> Cryptocard ? Yang Lee cc: vpn at securityfocus.com Subject: Re: [vpn] Cisco 3002 Hardware client and single use 10/01/2001 passcodes 03:21 PM You can set it up this way: Cisco 3002 --> TACACS+ --> SecurID Ace Server ############################################ #Yang Lee # #Sr. Internet Security Engineer, Net2phone # #Tel. 973-412-3556 # #Email. ylee at net2phone.com # # # # # #Disclaimer: # #My opinion here does not represent my # #employer's in any way # # # ############################################ On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > Greetings, I am taking a look at Cisco's 3002 hardware client, and am > wondering if it is possible to use SecurID or Cryptocard tokens with this box? > It appears to me that it is not possible. If anyone has done this, your input > would be greatly appreciated... > > > Patrick A. Bryan > Sr. Systems Analyst > Abbott Laboratories > Worldwide Network Security Group > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From bkeepper at Paladinss.com Mon Oct 1 17:03:53 2001 From: bkeepper at Paladinss.com (Ben Keepper) Date: Mon, 1 Oct 2001 14:03:53 -0700 Subject: [vpn] Looking for client that works with Netscreen and Checkpoint Message-ID: <283EBF9762C2FB4DA386E0BA9E46B2B801A9EA@paladin-mail.Paladinss.com> I apologize for not doing my research first, but I am in a hurry. Looking for a client (PGPnet, Safenet, SecureClient/Remote) that works with both Netscreen and Checkpoint firewalls. Not looking for their marketing (our implementation uses standards) blah-blah, but somebody really doing it in a production environment. Has anybody done this with Win2K IPSEC? If somebody knows of one, can you point me at the documentation? TIA, Ben Keepper VPN is sponsored by SecurityFocus.com From ylee at net50.com Mon Oct 1 21:16:22 2001 From: ylee at net50.com (Yang Lee) Date: Mon, 1 Oct 2001 21:16:22 -0400 (EDT) Subject: [vpn] Cisco 3002 Hardware client and single use passcodes In-Reply-To: Message-ID: 1. TACACS+ vs. RADIUS pro: TACACS+ encrypts both data and password while RADIUS only does password. con: RADIUS is considered a more open protocol than TACACS+. For example, Microsoft is supporting RADIUS in win2k. 2. securID vs. cryptocard securID is my preference because of its strong encryption. Software itself was robust and full of features (also bugs). Don't know too much of cryptocard. Any one mind to comment? Depend on your environment, if you are an ISP with paid customer, you will be better off using RADIUS+ (and cryptocard or securID). Because a lot of billing system support RADIUS better. Otherwise, you may feel better using TACACS+ (and securID) because of its strong security. Hope this help. ############################################ #Yang Lee # #Sr. Internet Security Engineer, Net2phone # #Tel. 973-412-3556 # #Email. ylee at net2phone.com # # # # # #Disclaimer: # #My opinion here does not represent my # #employer's in any way # # # ############################################ On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > > How about like this? > > C3002 --> RADIUS --> Cryptocard > > ? > > > > > Yang Lee > om> cc: vpn at securityfocus.com > Subject: Re: [vpn] Cisco 3002 Hardware client and single use > 10/01/2001 passcodes > 03:21 PM > > > > > > > You can set it up this way: > > Cisco 3002 --> TACACS+ --> SecurID Ace Server > > ############################################ > #Yang Lee # > #Sr. Internet Security Engineer, Net2phone # > #Tel. 973-412-3556 # > #Email. ylee at net2phone.com # > # # > # # > #Disclaimer: # > #My opinion here does not represent my # > #employer's in any way # > # # > ############################################ > > On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > > > Greetings, I am taking a look at Cisco's 3002 hardware client, and am > > wondering if it is possible to use SecurID or Cryptocard tokens with this > box? > > It appears to me that it is not possible. If anyone has done this, your > input > > would be greatly appreciated... > > > > > > Patrick A. Bryan > > Sr. Systems Analyst > > Abbott Laboratories > > Worldwide Network Security Group > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Mon Oct 1 21:29:48 2001 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Mon, 1 Oct 2001 20:29:48 -0500 Subject: [vpn] Cisco 3002 Hardware client and single use passcodes Message-ID: Yang, what I don't comprehend, is how even using Radius, to allow the C3002 to make use of one time passcodes. As for Cryptocard, my experience has been very good.. Anyhow, please expand on the one time passcode issue further, if you would.. Pat Yang Lee cc: vpn at securityfocus.com Subject: Re: [vpn] Cisco 3002 Hardware client and single use 10/01/2001 passcodes 08:16 PM 1. TACACS+ vs. RADIUS pro: TACACS+ encrypts both data and password while RADIUS only does password. con: RADIUS is considered a more open protocol than TACACS+. For example, Microsoft is supporting RADIUS in win2k. 2. securID vs. cryptocard securID is my preference because of its strong encryption. Software itself was robust and full of features (also bugs). Don't know too much of cryptocard. Any one mind to comment? Depend on your environment, if you are an ISP with paid customer, you will be better off using RADIUS+ (and cryptocard or securID). Because a lot of billing system support RADIUS better. Otherwise, you may feel better using TACACS+ (and securID) because of its strong security. Hope this help. ############################################ #Yang Lee # #Sr. Internet Security Engineer, Net2phone # #Tel. 973-412-3556 # #Email. ylee at net2phone.com # # # # # #Disclaimer: # #My opinion here does not represent my # #employer's in any way # # # ############################################ On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > > How about like this? > > C3002 --> RADIUS --> Cryptocard > > ? > > > > > Yang Lee > om> cc: vpn at securityfocus.com > Subject: Re: [vpn] Cisco 3002 Hardware client and single use > 10/01/2001 passcodes > 03:21 PM > > > > > > > You can set it up this way: > > Cisco 3002 --> TACACS+ --> SecurID Ace Server > > ############################################ > #Yang Lee # > #Sr. Internet Security Engineer, Net2phone # > #Tel. 973-412-3556 # > #Email. ylee at net2phone.com # > # # > # # > #Disclaimer: # > #My opinion here does not represent my # > #employer's in any way # > # # > ############################################ > > On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > > > Greetings, I am taking a look at Cisco's 3002 hardware client, and am > > wondering if it is possible to use SecurID or Cryptocard tokens with this > box? > > It appears to me that it is not possible. If anyone has done this, your > input > > would be greatly appreciated... > > > > > > Patrick A. Bryan > > Sr. Systems Analyst > > Abbott Laboratories > > Worldwide Network Security Group > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Tue Oct 2 05:16:20 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Tue, 2 Oct 2001 10:16:20 +0100 Subject: [vpn] Cisco 3002 Hardware client and single use passcodes Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458E56@email.datarange.co.uk> Patrick, We are noth a user and a reseller for the Cisco and RSA stuff you mention. our internal RAS has both ISDN dial in (Shiva LANrover) and VPN (3005). All of it uses TACACS+ and SecureID (and we also use server agents for some of the high security systems in house). As far as i know the 3000 is just set to use TACACS+, all the SecureID specific stuff is set up in the TACACS server. We have Cisco ACS server, with TACACS+ protocol set up as authentication. As i understand it, TACACS just sends prompts back to the TACACS+ device, for it to give to the user, and that prompt is for the card magic number. The ACS then passes authentication off to ACE server for SecureID. The ACE server is running on the same Win NT server as ACS. NB - new installs for others are going in on Win2k. If you want resilience then you need 2 ACS boxes, and 2 licenses. ACE server only needs a backup, so you dont need 2 full licenses. I suggest you test it (if you have enough of the bits of course) before you commit fully. Cisco used to run an evaluation scheme, with a time limited license for ACS - i think this is still possible. RSA used to do evaluation kits for SecureID, with just 2 cards for testing - maybe try that way if you can? regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Patrick.Bryan at abbott.com [mailto:Patrick.Bryan at abbott.com] > Sent: 02 October 2001 02:30 > To: Yang Lee > Cc: vpn at securityfocus.com > Subject: Re: [vpn] Cisco 3002 Hardware client and single use passcodes > > > > Yang, what I don't comprehend, is how even using Radius, to > allow the C3002 to > make use of one time passcodes. As for Cryptocard, my > experience has been very > good.. Anyhow, please expand on the one time passcode issue > further, if you > would.. > > Pat > > > > > > Yang Lee > > Patrick.Bryan at abbott.com > om> cc: > vpn at securityfocus.com > Subject: Re: > [vpn] Cisco 3002 Hardware client and single use > 10/01/2001 passcodes > > 08:16 PM > > > > > > > > > > 1. TACACS+ vs. RADIUS > pro: TACACS+ encrypts both data and password while RADIUS only does > password. > con: RADIUS is considered a more open protocol than TACACS+. > For example, > Microsoft is supporting RADIUS in win2k. > > 2. securID vs. cryptocard > securID is my preference because of its strong encryption. > Software itself > was robust and full of features (also bugs). Don't know too much of > cryptocard. Any one mind to comment? > > Depend on your environment, if you are an ISP with paid > customer, you will > be better off using RADIUS+ (and cryptocard or securID). > Because a lot of > billing system support RADIUS better. Otherwise, you may feel > better using > TACACS+ (and securID) because of its strong security. > > Hope this help. > > > > ############################################ > #Yang Lee # > #Sr. Internet Security Engineer, Net2phone # > #Tel. 973-412-3556 # > #Email. ylee at net2phone.com # > # # > # # > #Disclaimer: # > #My opinion here does not represent my # > #employer's in any way # > # # > ############################################ > > On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > > > > > How about like this? > > > > C3002 --> RADIUS --> Cryptocard > > > > ? > > > > > > > > > > > Yang Lee > > > Patrick.Bryan at abbott.com > > > om> cc: > vpn at securityfocus.com > > > Subject: Re: > [vpn] Cisco 3002 > Hardware client and single use > > 10/01/2001 passcodes > > > 03:21 PM > > > > > > > > > > > > > > > > > You can set it up this way: > > > > Cisco 3002 --> TACACS+ --> SecurID Ace Server > > > > ############################################ > > #Yang Lee # > > #Sr. Internet Security Engineer, Net2phone # > > #Tel. 973-412-3556 # > > #Email. ylee at net2phone.com # > > # # > > # # > > #Disclaimer: # > > #My opinion here does not represent my # > > #employer's in any way # > > # # > > ############################################ > > > > On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote: > > > > > Greetings, I am taking a look at Cisco's 3002 hardware > client, and am > > > wondering if it is possible to use SecurID or Cryptocard > tokens with this > > box? > > > It appears to me that it is not possible. If anyone has > done this, your > > input > > > would be greatly appreciated... > > > > > > > > > Patrick A. Bryan > > > Sr. Systems Analyst > > > Abbott Laboratories > > > Worldwide Network Security Group > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > > > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Tue Oct 2 20:48:46 2001 From: jmuniz at loudcloud.com (Jose Muniz) Date: Tue, 02 Oct 2001 17:48:46 -0700 Subject: [vpn] Looking for client that works with Netscreen and Checkpoint References: <283EBF9762C2FB4DA386E0BA9E46B2B801A9EA@paladin-mail.Paladinss.com> Message-ID: <3BBA606E.4EAE3FCB@loudcloud.com> Try the F-Secure Client.. http://www.f-secure.com Jose. Ben Keepper wrote: > I apologize for not doing my research first, but I am in a hurry. > Looking for a client (PGPnet, Safenet, SecureClient/Remote) that works > with both Netscreen and Checkpoint firewalls. > > Not looking for their marketing (our implementation uses standards) > blah-blah, but somebody really doing it in a production environment. > > Has anybody done this with Win2K IPSEC? > > If somebody knows of one, can you point me at the documentation? > > TIA, > > Ben Keepper > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Wed Oct 3 07:32:41 2001 From: sandy at storm.ca (Sandy Harris) Date: Wed, 03 Oct 2001 07:32:41 -0400 Subject: [vpn] Review of 13 VPN products References: <3BBA65B8.ACBAD526@opus1.com> Message-ID: <3BBAF759.B7DDF0C5@storm.ca> Joel Snyder wrote: > > Folks: > > In case you hadn't seen it, Network World just published a review I did > of 13 different VPN products, focusing on site-to-site and enterprise applications: > > http://www.nwfusion.com/reviews/2001/1001rev.html > > -- > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > Electronic mail is always the best way to contact me. > > VPN is sponsored by SecurityFocus.com Why on Earth did you mot include Open source products? www.freeswan.org for Linux IPsec. www.openbsd.org for an OS whose main marketing slogan is "Secure by default" and that ships with IPsec included. www.freebsd.org or www.openbsd.org for other alternatives. VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Wed Oct 3 15:03:34 2001 From: djdawso at qwest.com (Dana J. Dawson) Date: Wed, 03 Oct 2001 14:03:34 -0500 Subject: [vpn] Review of 13 VPN products References: <3BBA65B8.ACBAD526@opus1.com> Message-ID: <3BBB6106.B9C0DE8@qwest.com> Joel Snyder wrote: > > Folks: > > In case you hadn't seen it, Network World just published a review I did > of 13 different VPN products, focusing on site-to-site and enterprise applications: > > http://www.nwfusion.com/reviews/2001/1001rev.html > > -- > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > Electronic mail is always the best way to contact me. > > VPN is sponsored by SecurityFocus.com I disagree with the assertion in the article that the Cisco products only allow a single IKE policy to be configured. Both IOS and the PIX allow multiple isakmp policy clauses, and it's not very hard to figure that out. If the people doing the testing missed something this obvious when configuring the Cisco gear, it makes me wonder how much else they might have missed. Because of this, I have serious doubts about the credibility of the testers and their results. Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com From dlongar at ibsys.com Wed Oct 3 15:42:02 2001 From: dlongar at ibsys.com (Longar, Dennis) Date: Wed, 3 Oct 2001 14:42:02 -0500 Subject: [vpn] Review of 13 VPN products Message-ID: <2193306919172547B8B169B499184FEA63BC56@osiris-a.ibsys.com> I agree with Dana!! Also why didn't they pick the Cisco Dedicated VPN products to test? Pix is a fine VPN box, but cisco has a whole separate line of dedicated VPN only products (3xxx and 5xxx series). They really should be comparing apples to apples. Both IOS devices and the dedicated products support multiple IKE policies. -Dennis > -----Original Message----- > From: Dana J. Dawson [mailto:djdawso at qwest.com] > Sent: Wednesday, October 03, 2001 2:04 PM > To: Joel Snyder > Cc: vpn at securityfocus.com > Subject: Re: [vpn] Review of 13 VPN products > > > Joel Snyder wrote: > > > > Folks: > > > > In case you hadn't seen it, Network World just published a > review I did > > of 13 different VPN products, focusing on site-to-site and > enterprise applications: > > > > http://www.nwfusion.com/reviews/2001/1001rev.html > > > > -- > > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > > jms at Opus1.COM http://www.opus1.com/jms Opus One > > Electronic mail is always the best way to contact me. > > > > VPN is sponsored by SecurityFocus.com > > I disagree with the assertion in the article that the Cisco > products only allow > a single IKE policy to be configured. Both IOS and the PIX > allow multiple > isakmp policy clauses, and it's not very hard to figure that > out. If the people > doing the testing missed something this obvious when > configuring the Cisco gear, > it makes me wonder how much else they might have missed. > Because of this, I > have serious doubts about the credibility of the testers and > their results. > > Dana > > -- > Dana J. Dawson djdawso at qwest.com > Senior Staff Engineer CCIE #1937 > Qwest Global Services (612) 664-3364 > Qwest Communications (612) 664-4779 (FAX) > 600 Stinson Blvd., Suite 1S > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From dmcneese at lanl.gov Wed Oct 3 17:13:37 2001 From: dmcneese at lanl.gov (David McNeese) Date: Wed, 3 Oct 2001 15:13:37 -0600 Subject: [vpn] MTU Problems Message-ID: <010f01c14c50$44b7dec0$2672a580@lanl.gov> We have recently begun to have problems accessing some web sites via our VPN connections. We are using an Intel NetStructure as well as an Intraport 2+ . Here's what has started: The VPN process must add some additional information to the headers of each frame, as a result the MTU is somewhat less than 1500 bytes. There are several web sites (Yahoo in particular) that is sending data to us in 1500 byte frames with the "Do Not Fragment Bit" set. The result is, our boxes throw the frames away because they aren't allowed to fragment it. A message (NACK) is send back to the website requesting smaller frames (part of the RSVP protocol) or asking that the "do not fragment bit" not be set. We still get the 1500 byte frames so the client can't get the page. Has anybody else run into this? Are you aware of a solution (it seems to me it is a config problem at Yahoo)? Thanks! ************************************************************* "Cheer up, things could be worse. So I cheered up and sure enough, things got worse." David McNeese CCN-5 Network Services Team MS B255 505-667-5226 (voice) dmcneese at lanl.gov VPN is sponsored by SecurityFocus.com From timslighter at home.com Wed Oct 3 16:32:43 2001 From: timslighter at home.com (Tim Slighter) Date: Wed, 3 Oct 2001 13:32:43 -0700 Subject: FW: [vpn] Review of 13 VPN products Message-ID: <006b01c14c4a$8e750890$0201a8c0@timothy> I believe what they may have been referring to is that only one ISAKMP can be matched against the outside interface at one single point in time. -----Original Message----- From: Dana J. Dawson [mailto:djdawso at qwest.com] Sent: Wednesday, October 03, 2001 12:04 PM To: Joel Snyder Cc: vpn at securityfocus.com Subject: Re: [vpn] Review of 13 VPN products Joel Snyder wrote: > > Folks: > > In case you hadn't seen it, Network World just published a review I did > of 13 different VPN products, focusing on site-to-site and enterprise applications: > > http://www.nwfusion.com/reviews/2001/1001rev.html > > -- > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > Electronic mail is always the best way to contact me. > > VPN is sponsored by SecurityFocus.com I disagree with the assertion in the article that the Cisco products only allow a single IKE policy to be configured. Both IOS and the PIX allow multiple isakmp policy clauses, and it's not very hard to figure that out. If the people doing the testing missed something this obvious when configuring the Cisco gear, it makes me wonder how much else they might have missed. Because of this, I have serious doubts about the credibility of the testers and their results. Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Wed Oct 3 18:41:32 2001 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Wed, 03 Oct 2001 15:41:32 -0700 (MST) Subject: [vpn] Review of 13 VPN products In-Reply-To: "Your message dated Wed, 03 Oct 2001 14:42:02 -0500" <2193306919172547B8B169B499184FEA63BC56@osiris-a.ibsys.com> Message-ID: <01K92IOS19W49ED93E@Opus1.COM> >I agree with Dana!! Also why didn't they pick the >Cisco Dedicated VPN products to test? Pix is a fine >VPN box, but cisco has a whole separate line of >dedicated VPN only products (3xxx and 5xxx series). >They really should be comparing apples to apples. Each vendor offered their choice of products. You would have to ask Cisco why they felt that IOS and PIX were the best choice. >From my experience, both the Compatible and Altiga boxes are largely aimed at remote access, and do site-to-site as a secondary feature. Certainly there is no concept of a global VPN management tool for a network of hundreds of 3000/5000 boxes. >Both IOS devices and the dedicated products support >multiple IKE policies. You know, it's awfully easy to say that, but if you could prove it, that would be much more useful. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One >-Dennis >> -----Original Message----- >> From: Dana J. Dawson [mailto:djdawso at qwest.com] >> Sent: Wednesday, October 03, 2001 2:04 PM >> To: Joel Snyder >> Cc: vpn at securityfocus.com >> Subject: Re: [vpn] Review of 13 VPN products >> >> >> Joel Snyder wrote: >> > >> > Folks: >> > >> > In case you hadn't seen it, Network World just published a >> review I did >> > of 13 different VPN products, focusing on site-to-site and >> enterprise applications: >> > >> > http://www.nwfusion.com/reviews/2001/1001rev.html >> > >> > -- >> > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 >> > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) >> > jms at Opus1.COM http://www.opus1.com/jms Opus One >> > Electronic mail is always the best way to contact me. >> > >> > VPN is sponsored by SecurityFocus.com >> >> I disagree with the assertion in the article that the Cisco >> products only allow >> a single IKE policy to be configured. Both IOS and the PIX >> allow multiple >> isakmp policy clauses, and it's not very hard to figure that >> out. If the people >> doing the testing missed something this obvious when >> configuring the Cisco gear, >> it makes me wonder how much else they might have missed. >> Because of this, I >> have serious doubts about the credibility of the testers and >> their results. >> >> Dana >> >> -- >> Dana J. Dawson djdawso at qwest.com >> Senior Staff Engineer CCIE #1937 >> Qwest Global Services (612) 664-3364 >> Qwest Communications (612) 664-4779 (FAX) >> 600 Stinson Blvd., Suite 1S >> Minneapolis MN 55413-2620 >> >> "Hard is where the money is." >> >> VPN is sponsored by SecurityFocus.com >> VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Wed Oct 3 18:26:16 2001 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Wed, 03 Oct 2001 15:26:16 -0700 (MST) Subject: [vpn] Review of 13 VPN products In-Reply-To: "Your message dated Wed, 03 Oct 2001 14:03:34 -0500" <3BBB6106.B9C0DE8@qwest.com> References: <3BBA65B8.ACBAD526@opus1.com> Message-ID: <01K92IINQS6E9ED93E@Opus1.COM> It's easy to make arrogant and unsupported statements like that, but it would be more useful to everyone --- including the un-credible author of the article --- if you would offer some proof. In the version of IOS and of PIX which was tested, I claim that you can have only a single IKE policy, which is an ordered list of IKE transforms and proposals which are acceptable. That policy may have multiple transforms, but you cannot express a policy such as, for example: When initiating an SA to 1.2.3.4, I would like to use certificates. When initiating an SA to 2.3.4.5, I would like to use PSS. When initiating an SA to 3.4.5.6, I would like to use certificates, but I would fall back to PSS. When initiating an SA to 4.5.6.7, I would like to use certificates, but I would fall back to encrypted nonces. When initiating an SA to 5.6.7.8, I would like to use PSS, but I would also be willing to use certificates. If you can offer a working Cisco config on a GD release, I'll happily apologize and offer a correction. jms Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) jms at Opus1.COM http://www.opus1.com/jms Opus One >Joel Snyder wrote: >> >> Folks: >> >> In case you hadn't seen it, Network World just published a review I did >> of 13 different VPN products, focusing on site-to-site and enterprise applications: >> >> http://www.nwfusion.com/reviews/2001/1001rev.html >> >> -- >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 >> +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) >> jms at Opus1.COM http://www.opus1.com/jms Opus One >> Electronic mail is always the best way to contact me. >> >> VPN is sponsored by SecurityFocus.com >I disagree with the assertion in the article that the Cisco products only allow >a single IKE policy to be configured. Both IOS and the PIX allow multiple >isakmp policy clauses, and it's not very hard to figure that out. If the people >doing the testing missed something this obvious when configuring the Cisco gear, >it makes me wonder how much else they might have missed. Because of this, I >have serious doubts about the credibility of the testers and their results. >Dana >-- >Dana J. Dawson djdawso at qwest.com >Senior Staff Engineer CCIE #1937 >Qwest Global Services (612) 664-3364 >Qwest Communications (612) 664-4779 (FAX) >600 Stinson Blvd., Suite 1S >Minneapolis MN 55413-2620 >"Hard is where the money is." VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Wed Oct 3 20:42:57 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Wed, 3 Oct 2001 17:42:57 -0700 Subject: [vpn] New list member; a VPN question Message-ID: Hello List: I am a new member of this list and have a pretty basic question. I would appreciate any assistance you can give me. I am a sysadmin for a non profit organization. Would it be at all possible someone to detail the steps of establishing a vpn between a 98 box with a DSL connection and a 2000 server with a DSL connection? The two respective machines are in two different cities. I do not need anything complicated, just the basics. I admit it, I am new and over my head. I appreciate all the help the list members can give me. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com From sandy at storm.ca Wed Oct 3 23:55:32 2001 From: sandy at storm.ca (Sandy Harris) Date: Wed, 03 Oct 2001 23:55:32 -0400 Subject: [vpn] MTU Problems References: <010f01c14c50$44b7dec0$2672a580@lanl.gov> Message-ID: <3BBBDDB4.3A892EE@storm.ca> David McNeese wrote: > > We have recently begun to have problems accessing some web sites via > our VPN connections. We are using an Intel NetStructure as well as an > Intraport 2+ . Here's what has started: > > The VPN process must add some additional information to the headers of > each frame, as a result the MTU is somewhat less than 1500 bytes. > There are several web sites (Yahoo in particular) that is sending data > to us in 1500 byte frames with the "Do Not Fragment Bit" set. The > result is, our boxes throw the frames away because they aren't > allowed to fragment it. A message (NACK) is send back to the website > requesting smaller frames (part of the RSVP protocol) My understanding is that you should send an ICMP packet. http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/glossary.html#pathMTU > or asking that > the "do not fragment bit" not be set. We still get the 1500 byte > frames so the client can't get the page. > > Has anybody else run into this? Are you aware of a solution (it seems > to me it is a config problem at Yahoo)? VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Thu Oct 4 02:44:50 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Thu, 4 Oct 2001 07:44:50 +0100 Subject: [vpn] MTU Problems Message-ID: We had also a problem with MTU's being too large. Luckily we had an Intranet environment which is fully managed so we changed the MTU of both the clients and the server to 1400 or so to be sure that we didn't had an MTU problem anymore. I know that some VPN products allow to do something about this like NetScreen and I believe Cisco also have something like ' set ip df 0 ' on IOS to turn the DF bit off. Good luck, Guy -----Original Message----- From: David McNeese [mailto:dmcneese at lanl.gov] Sent: Wednesday, October 03, 2001 11:14 PM To: vpn at securityfocus.com Subject: [vpn] MTU Problems We have recently begun to have problems accessing some web sites via our VPN connections. We are using an Intel NetStructure as well as an Intraport 2+ . Here's what has started: The VPN process must add some additional information to the headers of each frame, as a result the MTU is somewhat less than 1500 bytes. There are several web sites (Yahoo in particular) that is sending data to us in 1500 byte frames with the "Do Not Fragment Bit" set. The result is, our boxes throw the frames away because they aren't allowed to fragment it. A message (NACK) is send back to the website requesting smaller frames (part of the RSVP protocol) or asking that the "do not fragment bit" not be set. We still get the 1500 byte frames so the client can't get the page. Has anybody else run into this? Are you aware of a solution (it seems to me it is a config problem at Yahoo)? Thanks! ************************************************************* "Cheer up, things could be worse. So I cheered up and sure enough, things got worse." David McNeese CCN-5 Network Services Team MS B255 505-667-5226 (voice) dmcneese at lanl.gov VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Thu Oct 4 02:34:17 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Thu, 4 Oct 2001 07:34:17 +0100 Subject: [vpn] Review of 13 VPN products Message-ID: Exactly my thoughts also .... especially about the multiple IKE policies .. I'm very interested in how the Cisco VPN 7140 IOS compares with the Cisco VPN 3000 or 5000 devices ... Guy -----Original Message----- From: Longar, Dennis [mailto:dlongar at ibsys.com] Sent: Wednesday, October 03, 2001 9:42 PM To: 'Dana J. Dawson'; Joel Snyder Cc: vpn at securityfocus.com Subject: RE: [vpn] Review of 13 VPN products I agree with Dana!! Also why didn't they pick the Cisco Dedicated VPN products to test? Pix is a fine VPN box, but cisco has a whole separate line of dedicated VPN only products (3xxx and 5xxx series). They really should be comparing apples to apples. Both IOS devices and the dedicated products support multiple IKE policies. -Dennis > -----Original Message----- > From: Dana J. Dawson [mailto:djdawso at qwest.com] > Sent: Wednesday, October 03, 2001 2:04 PM > To: Joel Snyder > Cc: vpn at securityfocus.com > Subject: Re: [vpn] Review of 13 VPN products > > > Joel Snyder wrote: > > > > Folks: > > > > In case you hadn't seen it, Network World just published a > review I did > > of 13 different VPN products, focusing on site-to-site and > enterprise applications: > > > > http://www.nwfusion.com/reviews/2001/1001rev.html > > > > -- > > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > > jms at Opus1.COM http://www.opus1.com/jms Opus One > > Electronic mail is always the best way to contact me. > > > > VPN is sponsored by SecurityFocus.com > > I disagree with the assertion in the article that the Cisco > products only allow > a single IKE policy to be configured. Both IOS and the PIX > allow multiple > isakmp policy clauses, and it's not very hard to figure that > out. If the people > doing the testing missed something this obvious when > configuring the Cisco gear, > it makes me wonder how much else they might have missed. > Because of this, I > have serious doubts about the credibility of the testers and > their results. > > Dana > > -- > Dana J. Dawson djdawso at qwest.com > Senior Staff Engineer CCIE #1937 > Qwest Global Services (612) 664-3364 > Qwest Communications (612) 664-4779 (FAX) > 600 Stinson Blvd., Suite 1S > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Les.Salmon at vanguardadmin.com Thu Oct 4 05:27:55 2001 From: Les.Salmon at vanguardadmin.com (Les W. Salmon) Date: Thu, 4 Oct 2001 10:27:55 +0100 Subject: [vpn] Windows 2000 Updating Static Routes Message-ID: <27FC93664965F8459E2D501372E2AA3B8EB0@server1.vanguardadmin.com> I am in serious need for a resolution to my problem. Although having trawled the net for answers, I keep coming up with the same 'words of wisdom', that simply do not work. OK, irrelevant of what I have in the middle (i.e. proxy servers nat firewall etc), I have a working VPN connection which I am happy with, EXCEPT for .... A little background of the setup, just so that you know what I am using. At home - I have a Windows 2000 workstation (SP2) that is running WinRoute Pro and makes full use if its firewall protection. After this workstation connects to the Internet, it then makes the VPN connection to my office network; no problem. At the office - There is a Nokia 110 CheckPoint Firewall-1 unit that handles all the Internet traffic in and out. I have configured this to allow the traffic to move between a Windows 2000 Server (SP2) which is running the Win2k VPN Server Application, and again, this all works. The problem - Windows 2000 Server. It accepts the connection from my home network, and allows the VPN to connect - GREAT, however there is a problem with the IP Routing. Within Win2k, I have setup a static route which sets up the routing between my home IP range 192.168.20.x and the port to which it connects on the Server 192.168.100.221. I cannot get Netsh, or any other command line utility to update the route at all. What I have to do, is go into the Routing and Remote Access, IP Routing, Static Routes; and manually make a change to the route entry, so that Win2K updates its routes. I read that I am supposed to be able to run the command line utility Netsh which should make the necessary update active, but it doesn't. The command is supposed to be .. C:\> netsh routing ip update persistentroute 192.168.100.0 255.255.255.0 name="Internal" nhop=192.168.100.221 In the Routing and Remote Access part of the Computer Management, the Interface that the Static Route works on is called "Internal". To manually update the route, I change this to "Local Area Connection", and then back to "Internal" again. What I have entered in that screen is ... Interface : Internal Destination : 192.168.20.0 Network Mask : 255.255.255.0 Gateway : 192.168.100.221 Metric : 1 Can anyone help me please with some way or script that will control this update. And perhaps explain to me what is wrong with this picture. Alternatively, with the kit I have in place, advise me of another way, a better way of doing this. I can't use CheckPoint's SecureRemote, because WinRoute Pro doesn't support the client software, and I don't want to change WinRoute Pro, 'cause it is one of the coolest Internet Routers available. Kind regards Les Salmon VPN is sponsored by SecurityFocus.com From evyncke at cisco.com Thu Oct 4 05:46:32 2001 From: evyncke at cisco.com (Eric Vyncke) Date: Thu, 04 Oct 2001 11:46:32 +0200 Subject: [vpn] MTU Problems In-Reply-To: <010f01c14c50$44b7dec0$2672a580@lanl.gov> Message-ID: <4.3.2.7.2.20011004114245.04e77ef0@brussels.cisco.com> David, What you are facing is Path MTU Discovery and not RSVP ;-) The goal is to avoid fragmentation of IP datagrams by 'probing' the path with IP datagrams whose DF (do not fragment) bit is set and by listening to ICMP sent by the device refusing to fragment. The usual caveat is that the ICMP unreachable (not a NACK) is blocked by a firewall somewhere on the path... another possible error is that your IPSec device is not able to process ICMP messages addressed to it (see RFC 2401 for more info). Workarounds include allowing ICMP unreachable through firewall, changing the MTU on the servers and/or clients, ... Just my 0.01 EUR -eric At 15:13 3/10/2001 -0600, David McNeese wrote: >We have recently begun to have problems accessing some web sites via >our VPN connections. We are using an Intel NetStructure as well as an >Intraport 2+ . Here's what has started: > >The VPN process must add some additional information to the headers of >each frame, as a result the MTU is somewhat less than 1500 bytes. >There are several web sites (Yahoo in particular) that is sending data >to us in 1500 byte frames with the "Do Not Fragment Bit" set. The >result is, our boxes throw the frames away because they aren't >allowed to fragment it. A message (NACK) is send back to the website >requesting smaller frames (part of the RSVP protocol) or asking that >the "do not fragment bit" not be set. We still get the 1500 byte >frames so the client can't get the page. > >Has anybody else run into this? Are you aware of a solution (it seems >to me it is a config problem at Yahoo)? > >Thanks! > > >************************************************************* >"Cheer up, things could be worse. So >I cheered up and sure enough, things got worse." > >David McNeese >CCN-5 Network Services Team >MS B255 >505-667-5226 (voice) >dmcneese at lanl.gov > > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From rpaige at verisign.com Thu Oct 4 07:57:35 2001 From: rpaige at verisign.com (Paige, Randall) Date: Thu, 4 Oct 2001 04:57:35 -0700 Subject: [vpn] Looking for client that works with Netscreen and Checkp oint Message-ID: <4111B28AD166D311954B009027AFC929DEC9DA@vsepostal.verisign.com> Checkpoint is going to be an issue. I do not know of anyone using a non-vpn client with a Checkpoint FW. I am told it can be done but with great limitations. Checkpoint has always added proprietary features to it's remote access feature. -----Original Message----- From: Jose Muniz [mailto:jmuniz at loudcloud.com] Sent: Tuesday, October 02, 2001 8:49 PM To: Ben Keepper Cc: vpn at securityfocus.com Subject: Re: [vpn] Looking for client that works with Netscreen and Checkpoint Try the F-Secure Client.. http://www.f-secure.com Jose. Ben Keepper wrote: > I apologize for not doing my research first, but I am in a hurry. > Looking for a client (PGPnet, Safenet, SecureClient/Remote) that works > with both Netscreen and Checkpoint firewalls. > > Not looking for their marketing (our implementation uses standards) > blah-blah, but somebody really doing it in a production environment. > > Has anybody done this with Win2K IPSEC? > > If somebody knows of one, can you point me at the documentation? > > TIA, > > Ben Keepper > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From guy.raymakers at eds.com Thu Oct 4 08:41:12 2001 From: guy.raymakers at eds.com (Raymakers, Guy) Date: Thu, 4 Oct 2001 13:41:12 +0100 Subject: [vpn] Review of 13 VPN products Message-ID: Pls, correct me if I'm wrong... Isn't so that only one Crypto map can be applied at one interface. This crypto map is really the collection of all IPSEC parameters for a given connections (one crypto map can have multiple instances). However to my knowledge, the IKE (ISAKMP) settings are not really matched with a crypto map. So if this is correct, this could imply that many IKE policies can be set for one crypto map and it's up to the IKE negotiation to pick the IKE policy that is matching. Ref the example : Is the router running the below config and set's up a tunnel to gateway A.B.C.D, then it will negotiate the correct ISAKMP policy, this could be PSS or RSA-ENCR, the same when it set's up a tunnel to gateway W.X.Y.Z. This means that there are more then one policy on the device, but only the first policy that matches with the remote policy will be used. crypto isakmp policy 21 hash md5 authentication pre-share group 2 lifetime 57600 ! crypto isakmp policy 22 hash md5 authentication pre-share group 2 lifetime 28800 crypto isakmp policy 26 encr 3des hash md5 authentication rsa-encr group 2 lifetime 28800 crypto isakmp key psssecret1 address A.B.C.D crypto isakmp key psssecret2 address W.X.Y.Z ! ! crypto ipsec transform-set transformset-1 esp-des esp-md5-hmac crypto ipsec transform-set transformset-2 esp-3des esp-md5-hmac ! crypto key pubkey-chain rsa addressed-key A.B.C.D address A.B.C.D key-string 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D03B5A 000AE463 32E9636E D3F822DE F520D31E BDBBCB00 6F0C47C5 B8F58D7E 5E25F4B9 0C9C2CEF 12F4C1A9 CD046732 4D3F12B2 D3355B70 0273D2A7 20D7EDAE E0D2F739 68807EF4 E7FAFE39 34C7B9BB CDF154A8 A9C4BD98 9A7BEEC0 B58B482D B436E43C BD55E5BC B2E30886 D2427C5C C0B6332B 0DF2CB30 F742F737 EACC4088 5F020301 0001 quit ! crypto map cryptomap 1 ipsec-isakmp set peer A.B.C.D set security-association lifetime seconds 28800 set transform-set transformset-1 match address 100 ! crypto map cryptomap 2 ipsec-isakmp set peer W.X.Y.Z set transform-set transformset-2 set pfs group2 match address 101 ! interface Tunnel0 ip address 172.25.1.161 255.255.255.224 no ip unreachables tunnel source 10.16.23.28 tunnel destination 10.162.144.21 crypto map cryptomap ! interface Tunnel1 ip address 10.10.10.9 255.255.255.252 no ip unreachables tunnel source 10.132.78.3 tunnel destination 14.228.170.55 crypto map cryptomap ! interface FastEthernet0 crypto map cryptomap However, if you run IPSEC and from one point to another and you wnat to have different policies for different combinations of destinations/sources, then you have no choice, but to use a single IKE policy between the VPN Routers, but you can create different IPSec policies (transforms) to protect some data streams in different ways. Sorry for the long mail ..... cheers, Guy -----Original Message----- From: Tim Slighter [mailto:timslighter at home.com] Sent: Wednesday, October 03, 2001 10:33 PM To: vpn at securityfocus.com Subject: FW: [vpn] Review of 13 VPN products I believe what they may have been referring to is that only one ISAKMP can be matched against the outside interface at one single point in time. -----Original Message----- From: Dana J. Dawson [mailto:djdawso at qwest.com] Sent: Wednesday, October 03, 2001 12:04 PM To: Joel Snyder Cc: vpn at securityfocus.com Subject: Re: [vpn] Review of 13 VPN products Joel Snyder wrote: > > Folks: > > In case you hadn't seen it, Network World just published a review I did > of 13 different VPN products, focusing on site-to-site and enterprise applications: > > http://www.nwfusion.com/reviews/2001/1001rev.html > > -- > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > Electronic mail is always the best way to contact me. > > VPN is sponsored by SecurityFocus.com I disagree with the assertion in the article that the Cisco products only allow a single IKE policy to be configured. Both IOS and the PIX allow multiple isakmp policy clauses, and it's not very hard to figure that out. If the people doing the testing missed something this obvious when configuring the Cisco gear, it makes me wonder how much else they might have missed. Because of this, I have serious doubts about the credibility of the testers and their results. Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Thu Oct 4 10:20:54 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Thu, 4 Oct 2001 07:20:54 -0700 Subject: [vpn] Assistance please? Message-ID: Hello: Anyone willing to take pity on a newby? I am a new member of this list and have a pretty basic question. I would appreciate any assistance you can give me. I am a sysadmin for a non profit organization. Would it be at all possible someone to detail the steps of establishing a vpn between a 98 box with a DSL connection and a 2000 server with a DSL connection? The two respective machines are in two different cities. I do not need anything complicated, just the basics. I admit it, I am new and over my head. I appreciate all the help the list members can give me. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com From EGoldsmith at SmartPipes.com Thu Oct 4 10:33:09 2001 From: EGoldsmith at SmartPipes.com (Goldsmith, Eric) Date: Thu, 4 Oct 2001 14:33:09 -0000 Subject: [vpn] RE: MTU Problems Message-ID: <4652644B98DFF34696801F8F3070D3FE76AD9B@D2CSPEXM001.smartpipes.com> David, What you're seeing is an issue that has plagued VPNs since their beginnings. The way to "fix" it is to find and correct the cause of the blocked ICMP messages (what you refer to as "NACK"). Easier said than done. It's worth noting that Yahoo is not alone. Many Web sites are affected by this issue. I was in contact with a Yahoo network engineer about this issue some weeks ago. He assured me that Yahoo is not blocking such messages and that it is likely someone upstream of them (i.e. their provider). The blocking of these messages can be caused by many things including misconfigured routers and buggy router software. I have found two work arounds that you might try. The first is to reduce the MTU setting on the client machine behind your VPN gateway. This causes the TCP sessions with the data source (Yahoo, in this case) to negotiate a smaller MSS (related to MTU) causing the source to send smaller packets. On Windows machines, this involves editing the registry, but can be automated by a tool recommend by Cisco call DrTCP (http://www.dslreports.com/front/DRTCP019.exe). An MTU value of 1400 is recommended in this situation. Obviously, the work around above is not desirable if you have many client machines, or your not able to 'touch' them. Another option is to modify the behavior of the DF bit on the gateway facing the Internet so that you can force it off for the IPSec packets. This has the effect of allowing fragmentation between the tunnel endpoints. This will negatively impact performance due to the large number of fragments that will be created, and because the fragments will be small packets. But it beats the alternative of no connectivity to the affected sites. Although controlling the DF bit is required in the IPSec RFC (section 6.1.1 of RFC 2401), I only know of one vendor to have implemented it - Cisco with IOS 12.2(2)T (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/12 2t/122t2/ftdfipsc.htm). Good luck. -Eric -----Original Message----- From: David McNeese [mailto:dmcneese at lanl.gov] Sent: Wednesday, October 03, 2001 5:14 PM To: vpn at securityfocus.com Subject: MTU Problems We have recently begun to have problems accessing some web sites via our VPN connections. We are using an Intel NetStructure as well as an Intraport 2+ . Here's what has started: The VPN process must add some additional information to the headers of each frame, as a result the MTU is somewhat less than 1500 bytes. There are several web sites (Yahoo in particular) that is sending data to us in 1500 byte frames with the "Do Not Fragment Bit" set. The result is, our boxes throw the frames away because they aren't allowed to fragment it. A message (NACK) is send back to the website requesting smaller frames (part of the RSVP protocol) or asking that the "do not fragment bit" not be set. We still get the 1500 byte frames so the client can't get the page. Has anybody else run into this? Are you aware of a solution (it seems to me it is a config problem at Yahoo)? Thanks! ************************************************************* "Cheer up, things could be worse. So I cheered up and sure enough, things got worse." David McNeese CCN-5 Network Services Team MS B255 505-667-5226 (voice) dmcneese at lanl.gov VPN is sponsored by SecurityFocus.com From Joel.Snyder at Opus1.COM Thu Oct 4 10:38:57 2001 From: Joel.Snyder at Opus1.COM (Joel M Snyder) Date: Thu, 04 Oct 2001 07:38:57 -0700 (MST) Subject: [vpn] Review of 13 VPN products In-Reply-To: "Your message dated Thu, 04 Oct 2001 13:41:12 +0100" Message-ID: <01K93GKGVIIS9ED94R@Opus1.COM> >Pls, correct me if I'm wrong... >Isn't so that only one Crypto map can be applied at one interface. This >crypto map is really the collection of all IPSEC parameters for a given >connections (one crypto map can have multiple instances). However to my >knowledge, the IKE (ISAKMP) settings are not really matched with a crypto >map. So if this is correct, this could imply that many IKE policies can be >set for one crypto map and it's up to the IKE negotiation to pick the IKE >policy that is matching. You can only have one crypto map on an interface; this is what governs IPSEC policies. A crypto map specifies peer addresses, so you have the option of saying something like "when I get to 10.0.0.0 via THIS interface, I want 3DES; when I get to 10.0.0.0 via THAT interfaces, I want DES." You have more flexibility than most people need in terms of IPSEC policies, because you can make them interface directional. This is probably most useful in a highly NAT-ed environment where different interfaces are really pointing to different entities. Be careful in your use of the word 'policy.' A policy is an ordered set of proposals and transforms. Thus, a policy might be "3DES, with either SHA1 (preferred) or MD5." That's a policy. If you wanted to say "AES with MD5 (preferred) or SHA1, DHG5 (preferred) or DHG2," that's another policy. You can express many IPSEC policies; you can express only one IKE policy. However, the problem is that there is only a single IKE policy (one "crypto isakmp" set of statements), which applies to the entire box. Notice that while it's an ordered list of proposals/transforms, it has no 'name' which means that you can't refer to it---you can't apply it to an interface, etc. That single IKE policy applies to all negotiations with all peers. In the real world, it is actually IKE which is the problem in interoperability, rather than IPSEC. (See, for example, all of the discussions on the IETF IPSEC list about "son of ike") Thus, while it's nice to have really sophisticated IPSEC knobs, most people are content with a single set of 3DES/SHA1/PFS-G2 kind of parameters and don't want to fiddle with them beyond that. The exception, of course, is into export controlled environments, but you can generally solve that with a single policy which has ordered transforms. But there's no problem here if Cisco gives you MORE flexibility than you want. In the IKE policy, there is no analog to the extreme flexibility of the IPSEC policy. You can only create a single IKE "crypto map," and that map applies to any negotiations with any peers. A secondary issue is that Cisco's ability to fine tune IKE/IPSEC parameters is fairly poor. For example, you cannot specify whether you want SA lifetime to be expressed as ONLY time, or as ONLY bytes; you cannot specify that X.509 DNs be used with some peers and SubjectAltNames with others. (generally, certificate support is the bare minimum required to say 'we support certs'; they could go a lot further in that direction. See, for example, the Contivity interface which is both powerful and easy to use.) jms >Ref the example : >Is the router running the below config and set's up a tunnel to gateway >A.B.C.D, then it will negotiate the correct ISAKMP policy, this could be PSS >or RSA-ENCR, the same when it set's up a tunnel to gateway W.X.Y.Z. This >means that there are more then one policy on the device, but only the first >policy that matches with the remote policy will be used. >crypto isakmp policy 21 > hash md5 > authentication pre-share > group 2 > lifetime 57600 >! >crypto isakmp policy 22 > hash md5 > authentication pre-share > group 2 > lifetime 28800 >crypto isakmp policy 26 > encr 3des > hash md5 > authentication rsa-encr > group 2 > lifetime 28800 >crypto isakmp key psssecret1 address A.B.C.D >crypto isakmp key psssecret2 address W.X.Y.Z >! >! >crypto ipsec transform-set transformset-1 esp-des esp-md5-hmac >crypto ipsec transform-set transformset-2 esp-3des esp-md5-hmac >! >crypto key pubkey-chain rsa > addressed-key A.B.C.D > address A.B.C.D > key-string > 30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D03B5A > 000AE463 32E9636E D3F822DE F520D31E BDBBCB00 6F0C47C5 B8F58D7E 5E25F4B9 > 0C9C2CEF 12F4C1A9 CD046732 4D3F12B2 D3355B70 0273D2A7 20D7EDAE E0D2F739 > 68807EF4 E7FAFE39 34C7B9BB CDF154A8 A9C4BD98 9A7BEEC0 B58B482D B436E43C > BD55E5BC B2E30886 D2427C5C C0B6332B 0DF2CB30 F742F737 EACC4088 5F020301 >0001 > quit > ! >crypto map cryptomap 1 ipsec-isakmp > set peer A.B.C.D > set security-association lifetime seconds 28800 > set transform-set transformset-1 > match address 100 >! >crypto map cryptomap 2 ipsec-isakmp > set peer W.X.Y.Z > set transform-set transformset-2 > set pfs group2 > match address 101 >! >interface Tunnel0 > ip address 172.25.1.161 255.255.255.224 > no ip unreachables > tunnel source 10.16.23.28 > tunnel destination 10.162.144.21 > crypto map cryptomap >! >interface Tunnel1 > ip address 10.10.10.9 255.255.255.252 > no ip unreachables > tunnel source 10.132.78.3 > tunnel destination 14.228.170.55 > crypto map cryptomap >! >interface FastEthernet0 > crypto map cryptomap >However, if you run IPSEC and from one point to another and you wnat to have >different policies for different combinations of destinations/sources, then >you have no choice, but to use a single IKE policy between the VPN Routers, >but you can create different IPSec policies (transforms) to protect some >data streams in different ways. >Sorry for the long mail ..... >cheers, >Guy >-----Original Message----- >From: Tim Slighter [mailto:timslighter at home.com] >Sent: Wednesday, October 03, 2001 10:33 PM >To: vpn at securityfocus.com >Subject: FW: [vpn] Review of 13 VPN products >I believe what they may have been referring to is that only one ISAKMP can >be matched against the outside interface at one single point in time. >-----Original Message----- >From: Dana J. Dawson [mailto:djdawso at qwest.com] >Sent: Wednesday, October 03, 2001 12:04 PM >To: Joel Snyder >Cc: vpn at securityfocus.com >Subject: Re: [vpn] Review of 13 VPN products >Joel Snyder wrote: >> >> Folks: >> >> In case you hadn't seen it, Network World just published a review I did >> of 13 different VPN products, focusing on site-to-site and enterprise >applications: >> >> http://www.nwfusion.com/reviews/2001/1001rev.html >> >> -- >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 >> +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) >> jms at Opus1.COM http://www.opus1.com/jms Opus One >> Electronic mail is always the best way to contact me. >> >> VPN is sponsored by SecurityFocus.com >I disagree with the assertion in the article that the Cisco products only >allow >a single IKE policy to be configured. Both IOS and the PIX allow multiple >isakmp policy clauses, and it's not very hard to figure that out. If the >people >doing the testing missed something this obvious when configuring the Cisco >gear, >it makes me wonder how much else they might have missed. Because of this, I >have serious doubts about the credibility of the testers and their results. >Dana >-- >Dana J. Dawson djdawso at qwest.com >Senior Staff Engineer CCIE #1937 >Qwest Global Services (612) 664-3364 >Qwest Communications (612) 664-4779 (FAX) >600 Stinson Blvd., Suite 1S >Minneapolis MN 55413-2620 >"Hard is where the money is." >VPN is sponsored by SecurityFocus.com >VPN is sponsored by SecurityFocus.com >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From dlongar at ibsys.com Thu Oct 4 10:48:53 2001 From: dlongar at ibsys.com (Longar, Dennis) Date: Thu, 4 Oct 2001 09:48:53 -0500 Subject: [vpn] Review of 13 VPN products Message-ID: <2193306919172547B8B169B499184FEA63BC58@osiris-a.ibsys.com> The cisco doesn't work based on IP address coming in, but I still say it supports multiple IKE Policies. It's maybe just not as flexible in how it does it. So your sort of right and were sort of right. I think Guy Raymakers summed it up and provided IOS config for the cisco. It' not per IP address or range, but it does negotiate multiple IKE policy. >From:Guy >Isn't so that only one Crypto map can be applied at one interface. This >crypto map is really the collection of all IPSEC parameters for a given >connections (one crypto map can have multiple instances). However to my >knowledge, the IKE (ISAKMP) settings are not really matched with a crypto >map. So if this is correct, this could imply that many IKE policies can be >set for one crypto map and it's up to the IKE negotiation to pick the IKE >policy that is matching. >.. He provided configs for IOS .. And the 3000 works similarly. Thanks! -Dennis > -----Original Message----- > From: Joel M Snyder [mailto:Joel.Snyder at Opus1.COM] > Sent: Wednesday, October 03, 2001 5:26 PM > To: Dana J. Dawson > Cc: Joel Snyder; vpn at securityfocus.com > Subject: Re: [vpn] Review of 13 VPN products > > > It's easy to make arrogant and unsupported statements like > that, but it would > be more useful to everyone --- including the un-credible author of the > article --- if you would offer some proof. > > In the version of IOS and of PIX which was tested, I claim > that you can have > only a single IKE policy, which is an ordered list of IKE > transforms and > proposals which are acceptable. That policy may have > multiple transforms, but > you cannot express a policy such as, for example: > > When initiating an SA to 1.2.3.4, I would like to use > certificates. > When initiating an SA to 2.3.4.5, I would like to use PSS. > When initiating an SA to 3.4.5.6, I would like to use > certificates, > but I would fall back to PSS. > When initiating an SA to 4.5.6.7, I would like to use > certificates, > but I would fall back to > encrypted nonces. > When initiating an SA to 5.6.7.8, I would like to use PSS, but I > would also be willing to use > certificates. > > If you can offer a working Cisco config on a GD release, I'll happily > apologize and offer a correction. > > jms > > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > > > >Joel Snyder wrote: > >> > >> Folks: > >> > >> In case you hadn't seen it, Network World just published a > review I did > >> of 13 different VPN products, focusing on site-to-site and > enterprise applications: > >> > >> http://www.nwfusion.com/reviews/2001/1001rev.html > >> > >> -- > >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > >> +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > >> jms at Opus1.COM http://www.opus1.com/jms Opus One > >> Electronic mail is always the best way to contact me. > >> > >> VPN is sponsored by SecurityFocus.com > > >I disagree with the assertion in the article that the Cisco > products only allow > >a single IKE policy to be configured. Both IOS and the PIX > allow multiple > >isakmp policy clauses, and it's not very hard to figure that > out. If the people > >doing the testing missed something this obvious when > configuring the Cisco gear, > >it makes me wonder how much else they might have missed. > Because of this, I > >have serious doubts about the credibility of the testers and > their results. > > >Dana > > >-- > >Dana J. Dawson djdawso at qwest.com > >Senior Staff Engineer CCIE #1937 > >Qwest Global Services (612) 664-3364 > >Qwest Communications (612) 664-4779 (FAX) > >600 Stinson Blvd., Suite 1S > >Minneapolis MN 55413-2620 > > >"Hard is where the money is." > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Thu Oct 4 11:43:08 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Thu, 4 Oct 2001 08:43:08 -0700 Subject: [vpn] Assistance please? Message-ID: Les: Thank you for responding to my query. The two systems connect to the internet via a DSL connection over TCP/IP. Proxy has not been implemented. This is a very small office that only has two 98 machines that are connected together in a workgroup. I do not intend of using NAT. The purpose for the tunnell is so my consultant can dial in and periodically update a proprietary database. The server that the 98 machine will be connecting to is running Proxy. Your assistance is much appreciated. Greg -----Original Message----- From: Les W. Salmon [mailto:Les.Salmon at vanguardadmin.com] Sent: Thursday, October 04, 2001 7:43 AM To: Greg W. Gordon Subject: RE: [vpn] Assistance please? It is very important to know how these two separate systems connect to the Internet (if that is the transport to be used for the data), i.e. what Internet sharing has been implemented; Proxy Server etc, and whether NAT (Network Address Translation) is used, and if the NAT can be switched on or off. Obviously, if a firewall is in place, as it should be, then port 1723 and IP Protocol 47 have to be opened and enabled through the firewall. Rgds Les -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: 04 October 2001 15:21 To: vpn at securityfocus.com Subject: [vpn] Assistance please? Hello: Anyone willing to take pity on a newby? I am a new member of this list and have a pretty basic question. I would appreciate any assistance you can give me. I am a sysadmin for a non profit organization. Would it be at all possible someone to detail the steps of establishing a vpn between a 98 box with a DSL connection and a 2000 server with a DSL connection? The two respective machines are in two different cities. I do not need anything complicated, just the basics. I admit it, I am new and over my head. I appreciate all the help the list members can give me. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Thu Oct 4 12:01:59 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Thu, 4 Oct 2001 09:01:59 -0700 Subject: [vpn] Assistance please? Message-ID: Yes, the ports you mention are in fact open. If you want to do a little port sniffing and have the ability then, 63.226.252.57. Yes, RRAS is started and a dial in account is set. What I need from this point I guess is the specifics of what needs to happen on the workstation end. I know this seems incredibly basic and believe me I appreciate it, but I have never actually configured the client end. I have had the comfort of being able to use consultants. Again, I appreciate your assistance. -----Original Message----- From: Les W. Salmon [mailto:Les.Salmon at vanguardadmin.com] Sent: Thursday, October 04, 2001 9:04 AM To: Greg W. Gordon Subject: RE: [vpn] Assistance please? Further then, to my previous advise, the Proxy on the Server may have a built in firewall etc. As long as the port and IP protocol has been opened, then there should be no problems in connecting. Now, have you actually started the Routing and RAS service on the Win2K Server. This is automatically done when you first attempt to setup Remote Access to the Server. To do this, if your Win2K Server belongs to a domain, then you [Right-Click] on My Computer, then click Manage. At the very bottom of the Snap-in, is Routing and Remote Access. From Action, choose the Start, or New option (sorry I can't remember what it was), and see how far you get, don't be afraid to enter information, it can all be changed later. -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: 04 October 2001 16:43 To: Les W. Salmon Cc: vpn at securityfocus.com Subject: RE: [vpn] Assistance please? Les: Thank you for responding to my query. The two systems connect to the internet via a DSL connection over TCP/IP. Proxy has not been implemented. This is a very small office that only has two 98 machines that are connected together in a workgroup. I do not intend of using NAT. The purpose for the tunnell is so my consultant can dial in and periodically update a proprietary database. The server that the 98 machine will be connecting to is running Proxy. Your assistance is much appreciated. Greg -----Original Message----- From: Les W. Salmon [mailto:Les.Salmon at vanguardadmin.com] Sent: Thursday, October 04, 2001 7:43 AM To: Greg W. Gordon Subject: RE: [vpn] Assistance please? It is very important to know how these two separate systems connect to the Internet (if that is the transport to be used for the data), i.e. what Internet sharing has been implemented; Proxy Server etc, and whether NAT (Network Address Translation) is used, and if the NAT can be switched on or off. Obviously, if a firewall is in place, as it should be, then port 1723 and IP Protocol 47 have to be opened and enabled through the firewall. Rgds Les -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: 04 October 2001 15:21 To: vpn at securityfocus.com Subject: [vpn] Assistance please? Hello: Anyone willing to take pity on a newby? I am a new member of this list and have a pretty basic question. I would appreciate any assistance you can give me. I am a sysadmin for a non profit organization. Would it be at all possible someone to detail the steps of establishing a vpn between a 98 box with a DSL connection and a 2000 server with a DSL connection? The two respective machines are in two different cities. I do not need anything complicated, just the basics. I admit it, I am new and over my head. I appreciate all the help the list members can give me. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From djdawso at qwest.com Thu Oct 4 19:36:10 2001 From: djdawso at qwest.com (Dana J. Dawson) Date: Thu, 04 Oct 2001 18:36:10 -0500 Subject: [vpn] Review of 13 VPN products References: <3BBA65B8.ACBAD526@opus1.com> <01K92IINQS6E9ED93E@Opus1.COM> Message-ID: <3BBCF26A.8EE422AE@qwest.com> I think at least part of the issue here is with semantics rather than technology (specifically with the word "policy"), but I stand by my initial comments. Here's why: This is the statement from the article that triggered my response: > To keep VPN configuration manageable within the command line environment, Cisco > allows for only a single Internet Key Exchange (IKE) policy per system. Here's a quote from the online Cisco IOS documentation for version 12.0 IOS, which is the most recent version of IOS that has any releases that are GD. The same text appears in subsequent versions of IOS documentation: > IKE negotiations must be protected, so each IKE negotiation begins by each > peer agreeing on a common (shared) IKE policy. This policy states which > security parameters will be used to protect subsequent IKE negotiations. > > After the two peers agree upon a policy, the security parameters of the > policy are identified by a security association established at each peer, > and these security associations apply to all subsequent IKE traffic during > the negotiation. > > You can create multiple, prioritized policies at each peer to ensure that > at least one policy will match a remote peer's policy. The above quote can be found at this URL: So, given that the original (and rather general) statement from the article and Cisco's documentation are directly at odds, it hardly seems "arrogant" to question the statement from the article, especially when one can, indeed, configure multiple isakmp policies (using Cisco's use of the term) in a router, just as Mr. Raymakers did. I would expect it to be possible to create a configuration similar to Raymakers' that would behave the way Mr. Snyder describes below, though I admit that I have not done so. My understanding of the intent behind multiple isakmp policies in IOS (or policy clauses, or whatever you want to call them) suggests to me that it should work, however. If the testers were not able to do so, perhaps it was due to a bug in the level of software they were using, especially if they restricted themselves to using only General Deployment software. VPN technology is still new enough that one must be willing to use the latest available software. The article didn't specify what software was used. It's certainly possible that they did use the latest software and that it still didn't work. In any event, I do not see the justification for the description in the article that the reason was "to keep VPN configuration manageable within the command line environment." To me, that appears to be an assumption on the part of the author that is not supported by Cisco's documentation. While I did not include the specific reference above in my initial message, I also stand by my statement that it's easy to find the above referenced documentation. Was it appropriate for me to question the testers' credibility? I'll let the individuals who subscribe to this list decide that for themselves. Personally, I expect anyone who publishes results of tests of this sort, especially in a widely respected technical publication, to do a thorough job of researching the subject and presenting their results. On this particular technical point, and I'll grant that it's perhaps a small one, I don't think an adequate job was done. Describe that how you like. Given one such discrepancy in an article of such scope, is it unreasonable to question the rest of the article? Perhaps, perhaps not, but I did. These are the justifications I had for stating my opinions, which is all they were - opinions. Others should read the article for themselves and form their own opinions. Based on the discussions that followed my original message, I've also formed additional opinions, but I'll keep them to myself. Please feel free to direct any additional comments you may have on this topic to me directly. Dana -- Dana J. Dawson djdawso at qwest.com Senior Staff Engineer CCIE #1937 Qwest Global Services (612) 664-3364 Qwest Communications (612) 664-4779 (FAX) 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." Joel M Snyder wrote: > > It's easy to make arrogant and unsupported statements like that, but it would > be more useful to everyone --- including the un-credible author of the > article --- if you would offer some proof. > > In the version of IOS and of PIX which was tested, I claim that you can have > only a single IKE policy, which is an ordered list of IKE transforms and > proposals which are acceptable. That policy may have multiple transforms, but > you cannot express a policy such as, for example: > > When initiating an SA to 1.2.3.4, I would like to use certificates. > When initiating an SA to 2.3.4.5, I would like to use PSS. > When initiating an SA to 3.4.5.6, I would like to use certificates, > but I would fall back to PSS. > When initiating an SA to 4.5.6.7, I would like to use certificates, > but I would fall back to encrypted nonces. > When initiating an SA to 5.6.7.8, I would like to use PSS, but I > would also be willing to use certificates. > > If you can offer a working Cisco config on a GD release, I'll happily > apologize and offer a correction. > > jms > > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > Phone: +1 520 324 0494 x101 (v) +1 520 324 0495 (FAX) > jms at Opus1.COM http://www.opus1.com/jms Opus One > > >Joel Snyder wrote: > >> > >> Folks: > >> > >> In case you hadn't seen it, Network World just published a review I did > >> of 13 different VPN products, focusing on site-to-site and enterprise applications: > >> > >> http://www.nwfusion.com/reviews/2001/1001rev.html > >> > >> -- > >> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 > >> +1 520 324 0494 x101 (voice) +1 520 324 0495 (FAX) > >> jms at Opus1.COM http://www.opus1.com/jms Opus One > >> Electronic mail is always the best way to contact me. > >> > >> VPN is sponsored by SecurityFocus.com > > >I disagree with the assertion in the article that the Cisco products only allow > >a single IKE policy to be configured. Both IOS and the PIX allow multiple > >isakmp policy clauses, and it's not very hard to figure that out. If the people > >doing the testing missed something this obvious when configuring the Cisco gear, > >it makes me wonder how much else they might have missed. Because of this, I > >have serious doubts about the credibility of the testers and their results. > > >Dana > > >-- > >Dana J. Dawson djdawso at qwest.com > >Senior Staff Engineer CCIE #1937 > >Qwest Global Services (612) 664-3364 > >Qwest Communications (612) 664-4779 (FAX) > >600 Stinson Blvd., Suite 1S > >Minneapolis MN 55413-2620 > > >"Hard is where the money is." > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Thu Oct 4 18:44:14 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Thu, 4 Oct 2001 15:44:14 -0700 Subject: [vpn] RE: MTU Problems Message-ID: <4EBB5C35607E7F48B4AE162D956666EF016CD1@guam.corp.axcelerant.com> RedCreek also has a setting for 'ignore don't frag bit' -----Original Message----- From: Goldsmith, Eric [mailto:EGoldsmith at SmartPipes.com] Sent: Thursday, October 04, 2001 7:33 AM To: 'David McNeese'; vpn at securityfocus.com Subject: [vpn] RE: MTU Problems David, What you're seeing is an issue that has plagued VPNs since their beginnings. The way to "fix" it is to find and correct the cause of the blocked ICMP messages (what you refer to as "NACK"). Easier said than done. It's worth noting that Yahoo is not alone. Many Web sites are affected by this issue. I was in contact with a Yahoo network engineer about this issue some weeks ago. He assured me that Yahoo is not blocking such messages and that it is likely someone upstream of them (i.e. their provider). The blocking of these messages can be caused by many things including misconfigured routers and buggy router software. I have found two work arounds that you might try. The first is to reduce the MTU setting on the client machine behind your VPN gateway. This causes the TCP sessions with the data source (Yahoo, in this case) to negotiate a smaller MSS (related to MTU) causing the source to send smaller packets. On Windows machines, this involves editing the registry, but can be automated by a tool recommend by Cisco call DrTCP (http://www.dslreports.com/front/DRTCP019.exe). An MTU value of 1400 is recommended in this situation. Obviously, the work around above is not desirable if you have many client machines, or your not able to 'touch' them. Another option is to modify the behavior of the DF bit on the gateway facing the Internet so that you can force it off for the IPSec packets. This has the effect of allowing fragmentation between the tunnel endpoints. This will negatively impact performance due to the large number of fragments that will be created, and because the fragments will be small packets. But it beats the alternative of no connectivity to the affected sites. Although controlling the DF bit is required in the IPSec RFC (section 6.1.1 of RFC 2401), I only know of one vendor to have implemented it - Cisco with IOS 12.2(2)T (http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newf t/12 2t/122t2/ftdfipsc.htm). Good luck. -Eric -----Original Message----- From: David McNeese [mailto:dmcneese at lanl.gov] Sent: Wednesday, October 03, 2001 5:14 PM To: vpn at securityfocus.com Subject: MTU Problems We have recently begun to have problems accessing some web sites via our VPN connections. We are using an Intel NetStructure as well as an Intraport 2+ . Here's what has started: The VPN process must add some additional information to the headers of each frame, as a result the MTU is somewhat less than 1500 bytes. There are several web sites (Yahoo in particular) that is sending data to us in 1500 byte frames with the "Do Not Fragment Bit" set. The result is, our boxes throw the frames away because they aren't allowed to fragment it. A message (NACK) is send back to the website requesting smaller frames (part of the RSVP protocol) or asking that the "do not fragment bit" not be set. We still get the 1500 byte frames so the client can't get the page. Has anybody else run into this? Are you aware of a solution (it seems to me it is a config problem at Yahoo)? Thanks! ************************************************************* "Cheer up, things could be worse. So I cheered up and sure enough, things got worse." David McNeese CCN-5 Network Services Team MS B255 505-667-5226 (voice) dmcneese at lanl.gov VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From lists at fips.de Thu Oct 4 20:27:20 2001 From: lists at fips.de (Philipp Buehler) Date: Fri, 5 Oct 2001 02:27:20 +0200 Subject: [vpn] Review of 13 VPN products In-Reply-To: <01K93GKGVIIS9ED94R@Opus1.COM>; "Joel M Snyder" on 04.10.2001 @ 16:38:57 CEST References: <01K93GKGVIIS9ED94R@Opus1.COM> Message-ID: <20011005022720.A2961@pohl.fips.de> On 04/10/2001, Joel M Snyder wrote Cc vpn at securityfocus.com: > In the real world, it is actually IKE which is the problem in interoperability, > rather than IPSEC. (See, for example, all of the discussions on the IETF IPSEC And this not only for a short time. They *all* claim to be "compatible", but IKE/isakmp "issues" are always there. > In the IKE policy, there is no analog to the extreme flexibility of the IPSEC > policy. You can only create a single IKE "crypto map," and that map applies to [.. more like that ..] Yes, and this is for almost any commercial product out there. Picking out the "Leader" Checkpoint, you actually *can* tune about "any" parameter for isakmp - but not always via the GUI - and you dont want people to fiddle in their .C files by hand, do you? :) I was testing several systems against the isakmpd from OpenBSD (due to massive possibilities in "fine" tuning and *extreme* debugging) cause $customer is planning to connect a real varity of current products in the IPsec/IKE sector. Crossplattform between commercial ones? Can work.. can fail after "updating" one peer for some other reason.. Nice, isnt it? Why is this remembering me all day long about the years where PPP came up as "Industry Standard"? Because they do only <95% of it, the rest is filled up w/ "enhancements" ( of course for OUR beloved customers (and our single point of sales)). Conclusion: Stay as homogenous as you can (regarding IKE). Say all "foreign" fw1 peers go to fw1, cisco to cisco .. put them back to back via unencrypted (crosscable) links. Use a 'mulit purpose' isakmpd (like OpenBSD or sometimes FreeS/WAN) for the "uncommon" rest. I hear "complex" and "difficult"? Well, it needs very good planning, dont "rush" for it.. Management? Sure a task, but I prefer running networks about "easy to manage" failing networks. The so-called "management" is usually some GUI, supported by "industry leading" techologies like LDAP/XML/ In the real world it will fail - especially for heterogenous networks. "Easy Management" lures people into the misunderstanding that IPsec/IKE is somthing to be set up via mouseclicks. Ack'd, it *can* make the task easier or not (ever scripted in a GUI? :>) - but dont expect it can substitute the lack of knowledge about what is going on. ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | #1: Break the clue barrier! #2: Already had buzzword confuseritis ? VPN is sponsored by SecurityFocus.com From evyncke at cisco.com Fri Oct 5 01:11:01 2001 From: evyncke at cisco.com (Eric Vyncke) Date: Fri, 05 Oct 2001 07:11:01 +0200 Subject: [vpn] RE: MTU Problems In-Reply-To: <4652644B98DFF34696801F8F3070D3FE76AD9B@D2CSPEXM001.smartpi pes.com> Message-ID: <4.3.2.7.2.20011005070921.022ed948@brussels.cisco.com> At 14:33 4/10/2001 +0000, Goldsmith, Eric wrote: ..%<....%<...... >I was in contact with a Yahoo network engineer about this issue some weeks >ago. He assured me that Yahoo is not blocking such messages and that it is >likely someone upstream of them (i.e. their provider). The blocking of these >messages can be caused by many things including misconfigured routers and >buggy router software. One common issue on large web site is the load balancing switches or devices. Those devices usually are not able to handle ICMP directed to the virtual server. Hence, even if not firewall or no ACL block those ICMP messages, they are not forwarded by the load balancing switches... -eric VPN is sponsored by SecurityFocus.com From hamlet_av at ciaoweb.it Fri Oct 5 13:23:00 2001 From: hamlet_av at ciaoweb.it (hamlet_av at ciaoweb.it) Date: Fri, 5 Oct 2001 19:23:00 +0200 Subject: [vpn] vpn client on unix Message-ID: <1a3001c14dc2$61dd6ce0$266d5897@ciaoweb> acting as client for a service. We would like to use a vpn system (with digital certificate authentication) to encrypt communications between client and servers. I'm looking for unix vpn clients, but it seems that no commercial tool is available. Can you suggest me something? Thanks Vincenzo _________________________________________________________________________ Hai perso l'ispirazione? La frase da inviare via SMS te la suggerisce Ciaoweb: http://www.ciaoweb.it/sms/public VPN is sponsored by SecurityFocus.com From kpasley6 at home.com Fri Oct 5 16:03:52 2001 From: kpasley6 at home.com (Keith Pasley, CISSP) Date: Fri, 5 Oct 2001 16:03:52 -0400 Subject: [vpn] vpn client on unix References: <1a3001c14dc2$61dd6ce0$266d5897@ciaoweb> Message-ID: <004201c14dd8$dc2a9f20$01000001@CP531435A> V-ONE has a Linux VPN client. www.v-one.com Also, most distributions of Linux come with FreeS/WAN IPSec. Keith ----- Original Message ----- From: To: Cc: Sent: Friday, October 05, 2001 1:23 PM Subject: [vpn] vpn client on unix acting as client for a service. We would like to use a vpn system (with digital certificate authentication) to encrypt communications between client and servers. I'm looking for unix vpn clients, but it seems that no commercial tool is available. Can you suggest me something? Thanks Vincenzo _________________________________________________________________________ Hai perso l'ispirazione? La frase da inviare via SMS te la suggerisce Ciaoweb: http://www.ciaoweb.it/sms/public VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From peter at grole.org Fri Oct 5 14:27:19 2001 From: peter at grole.org (Peter Walker) Date: Fri, 05 Oct 2001 10:27:19 -0800 Subject: [vpn] Advice needed Message-ID: <12249513.1002277639@[10.3.9.49]> Folks I dont know if any of you out there can offer some advice, but here is my situation At the company where I work for we were sold a PGP/NAI a package that included the necessary licenses to run Gauntlet VPN and PGP clients accross our corporate network. So we now have a gauntlet 5.5 NT VPN server in our head office and a number of road warriors running PGPs VPN client (we liked the personal packet filter/firewall features included) For some people this worked great. For some others the PGP client just plain would not work on their machines (Particularly on IBM laptops for some reason). Due to the problems with the the client software we purchased a number of PGP's new e-ppliance boxes. These were chosen because the should work easily with Gauntlet VPN and they had the built in firewalling, nat and dhcp functionailty we wanted. These dont support certificates for authentication so we had to use pre shared keys, but we were able to live with this. Now we are starting to run in to another problem that I just cant see an easy solution for. A number of the users with the e-ppliances have DSL or Cable internet connections with dynamic IP addresses allocated when they "connect". This is where the big problem is. With network to network IPSEC tunnels using pre-shared keys both Gauntlet VPN and the e-ppliances require that the IP address of the other end of the link be statically defined. What this basically means is that every time the remote users ISP connection is closed down (for whatever reason) they are unable to use the VPN until someone in the head office reconfigures the gauntlet VPN server with their new IP address. This just plain doesnt work for us. We are not in a position where we can just dump everything and start again (both for political and financial reasons). It is possible that we could replace the client end software/hardware for the problem cases, and we could perhaps stretch the budget to an IOS upgrade to a 3DES version on one of our routers, but if I do that I have to be sure that whatever we do do is sure to work. So what would your advice be? Thanks in advance Peter Walker VPN is sponsored by SecurityFocus.com From timslighter at home.com Fri Oct 5 15:33:09 2001 From: timslighter at home.com (Tim Slighter) Date: Fri, 5 Oct 2001 12:33:09 -0700 Subject: [vpn] vpn client on unix In-Reply-To: <1a3001c14dc2$61dd6ce0$266d5897@ciaoweb> Message-ID: <001e01c14dd4$90c85c60$0201a8c0@timothy> Cisco VPN just put out a redhat/linux based VPN client for use with the 3000-5000 concetrators -----Original Message----- From: hamlet_av at ciaoweb.it [mailto:hamlet_av at ciaoweb.it] Sent: Friday, October 05, 2001 10:23 AM To: vpn at securityfocus.com Cc: hamlet_av at ciaoweb.it Subject: [vpn] vpn client on unix acting as client for a service. We would like to use a vpn system (with digital certificate authentication) to encrypt communications between client and servers. I'm looking for unix vpn clients, but it seems that no commercial tool is available. Can you suggest me something? Thanks Vincenzo _________________________________________________________________________ Hai perso l'ispirazione? La frase da inviare via SMS te la suggerisce Ciaoweb: http://www.ciaoweb.it/sms/public VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From MaXsecurity at interfree.it Sat Oct 6 02:58:43 2001 From: MaXsecurity at interfree.it (MaXsecurity at interfree.it) Date: Sat, 6 Oct 2001 08:58:43 +0200 Subject: [vpn] vpn client for handheld Message-ID: <6844288015.20011006085843@interfree.it> Hello, I am analyzing the possibility to connect to a corporate network from a handheld computer (palmOS, Psion Epoc or Win CE) trough a VPN. What client are there to establish an IPSEC VPN from this handheld computers ? Did you try them? Are they stable and fast enough to read e-mail, and do some browsing? I'd appreciate any feedback. Thanks in advance. MaX VPN is sponsored by SecurityFocus.com From bugtraq at seifried.org Sun Oct 7 03:07:22 2001 From: bugtraq at seifried.org (Kurt Seifried) Date: Sun, 7 Oct 2001 01:07:22 -0600 Subject: [vpn] vpn client for handheld References: <6844288015.20011006085843@interfree.it> Message-ID: <001101c14efe$b8d7e1a0$6400030a@seifried.org> > Hello, > > I am analyzing the possibility to connect to a corporate network > from a handheld computer (palmOS, Psion Epoc or Win CE) trough a > VPN. > > What client are there to establish an IPSEC VPN from this > handheld computers ? Did you try them? Are they stable and fast > enough to read e-mail, and do some browsing? http://newsroom.cisco.com/dlls/prod_040401.html http://www.bright.net/roaming/workar.html etc, courtesy of google. The palm pilot ipsec client is not the fastest though (16 mhz cpu, whaddya expect?). > I'd appreciate any feedback. > Thanks in advance. > > MaX Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ VPN is sponsored by SecurityFocus.com From jmuniz at loudcloud.com Sun Oct 7 13:10:47 2001 From: jmuniz at loudcloud.com (Jose Muniz) Date: Sun, 07 Oct 2001 10:10:47 -0700 Subject: [vpn] Looking for client that works with Netscreen and Checkpoint References: <4111B28AD166D311954B009027AFC929DEC9DA@vsepostal.verisign.com> Message-ID: <3BC08C97.A1763702@loudcloud.com> You are actually quite right,. Once you start to see several proxy IP's that is several subnets behind your gateway then you be in trouble. If you have a VRRP HA Checkpoint then things will brake, as IKE negotiations happen against the interface IP and not the VRRP IP/. In a situation like this, if you think about it will be more cost effective to get rid of the Checkpoints and stick with Netscreens all the way. I heard folks react quite interesting when you say that.. "replace them"... If you do the analysis, then you will realize that by doing that "replacing" you will be saving money. As you can see the administration time will be lower, you will have a more solid solution, and the recovery time in case of disaster recovery will be a fraction of the time that will take the recovery of the Checkpoint. Stick to the good stuff... [NS] Get rid of the problems... [ChPoints] Jose. "Paige, Randall" wrote: > Checkpoint is going to be an issue. I do not know > of anyone using a non-vpn client with a Checkpoint FW. > I am told it can be done but with great limitations. > Checkpoint has always added proprietary features to it's remote > access feature. > > -----Original Message----- > From: Jose Muniz [mailto:jmuniz at loudcloud.com] > Sent: Tuesday, October 02, 2001 8:49 PM > To: Ben Keepper > Cc: vpn at securityfocus.com > Subject: Re: [vpn] Looking for client that works with Netscreen and > Checkpoint > > Try the F-Secure Client.. > http://www.f-secure.com > > Jose. > > Ben Keepper wrote: > > > I apologize for not doing my research first, but I am in a hurry. > > Looking for a client (PGPnet, Safenet, SecureClient/Remote) that works > > with both Netscreen and Checkpoint firewalls. > > > > Not looking for their marketing (our implementation uses standards) > > blah-blah, but somebody really doing it in a production environment. > > > > Has anybody done this with Win2K IPSEC? > > > > If somebody knows of one, can you point me at the documentation? > > > > TIA, > > > > Ben Keepper > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From ytchu at ozemail.com.au Mon Oct 8 10:34:28 2001 From: ytchu at ozemail.com.au (Yin To Chu) Date: Tue, 9 Oct 2001 00:34:28 +1000 Subject: [vpn] vpn client for handheld In-Reply-To: <001101c14efe$b8d7e1a0$6400030a@seifried.org> Message-ID: <001301c15006$56e1a9a0$280001d2@ytcp3> AdmitOne http://www.tril-inc.com/body.prod.info.html and MovianVPN http://www.certicom.com/products/movian/movianvpn.html For WinCE, Palm (only second) and other Windows. Checkpoint got a beta VPN Client on CE I heard but not confirmed. yt -----Original Message----- From: Kurt Seifried [mailto:bugtraq at seifried.org] Sent: Sunday, October 07, 2001 5:07 PM To: VPN at SECURITYFOCUS.COM Subject: Re: [vpn] vpn client for handheld > Hello, > > I am analyzing the possibility to connect to a corporate network > from a handheld computer (palmOS, Psion Epoc or Win CE) trough a > VPN. > > What client are there to establish an IPSEC VPN from this > handheld computers ? Did you try them? Are they stable and fast > enough to read e-mail, and do some browsing? http://newsroom.cisco.com/dlls/prod_040401.html http://www.bright.net/roaming/workar.html etc, courtesy of google. The palm pilot ipsec client is not the fastest though (16 mhz cpu, whaddya expect?). > I'd appreciate any feedback. > Thanks in advance. > > MaX Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Mon Oct 8 13:58:44 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Mon, 8 Oct 2001 10:58:44 -0700 Subject: [vpn] Advice needed Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D45EB@guam.corp.axcelerant.com> What you are looking for is an implementation that supports Aggressive mode negotiation. To be honest I haven't seen one yet that didn't but I know nothing about the PGP implementation. I would start searching for material on using Aggressive mode with PGPvpn. -----Original Message----- From: Peter Walker [mailto:peter at grole.org] Sent: Friday, October 05, 2001 11:27 AM To: vpn at securityfocus.com Subject: [vpn] Advice needed Folks I dont know if any of you out there can offer some advice, but here is my situation At the company where I work for we were sold a PGP/NAI a package that included the necessary licenses to run Gauntlet VPN and PGP clients accross our corporate network. So we now have a gauntlet 5.5 NT VPN server in our head office and a number of road warriors running PGPs VPN client (we liked the personal packet filter/firewall features included) For some people this worked great. For some others the PGP client just plain would not work on their machines (Particularly on IBM laptops for some reason). Due to the problems with the the client software we purchased a number of PGP's new e-ppliance boxes. These were chosen because the should work easily with Gauntlet VPN and they had the built in firewalling, nat and dhcp functionailty we wanted. These dont support certificates for authentication so we had to use pre shared keys, but we were able to live with this. Now we are starting to run in to another problem that I just cant see an easy solution for. A number of the users with the e-ppliances have DSL or Cable internet connections with dynamic IP addresses allocated when they "connect". This is where the big problem is. With network to network IPSEC tunnels using pre-shared keys both Gauntlet VPN and the e-ppliances require that the IP address of the other end of the link be statically defined. What this basically means is that every time the remote users ISP connection is closed down (for whatever reason) they are unable to use the VPN until someone in the head office reconfigures the gauntlet VPN server with their new IP address. This just plain doesnt work for us. We are not in a position where we can just dump everything and start again (both for political and financial reasons). It is possible that we could replace the client end software/hardware for the problem cases, and we could perhaps stretch the budget to an IOS upgrade to a 3DES version on one of our routers, but if I do that I have to be sure that whatever we do do is sure to work. So what would your advice be? Thanks in advance Peter Walker VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From AndrewL at ipuk.com Mon Oct 8 05:43:17 2001 From: AndrewL at ipuk.com (Andy Lawrence) Date: Mon, 8 Oct 2001 10:43:17 +0100 Subject: [vpn] Newbie vpn question Message-ID: <41CD6F34391E7C4DA6DC0D352F0DABCF130B6D@nt0200.ipuk.local> We have a SonicWall Pro VX which provides firewalling for our network which is connected via a leased line. The firewall is doing NAT. We have account managers dotted around the country and they can connect to our network via vpn using some client software on their laptops and a standard Internet dial up via modems. I have setup an account for them on the Firewall with keys etc and this all works fine. We then wanted to expand this slightly and connect a remote office with 4-5 pcs. I started to experiment at the remote office using an (oldish) Acc congo router to provide the Internet connection,but I couldn't get it to work, although on the same machines if I used a modem connection it did. Our firewall people have said that the Vpn and client software was setup correctly and it might be that the router doesn't support IPsec pass through. My question(s) (you knew it would arrive soon !) are thus: Where can I find out more good information on this , so far I've looked on the Internet and read conflicting information How likely is it that a new router would support it and is it easy to tell if it will Is there a date before which routers are unlikely to have support built in as it wasn't about Anybody views on a good cheap router which will support Ipsec passthrough TIA Andy VPN is sponsored by SecurityFocus.com From Kevin_Butters at NAI.com Mon Oct 8 16:10:48 2001 From: Kevin_Butters at NAI.com (Butters, Kevin) Date: Mon, 8 Oct 2001 15:10:48 -0500 Subject: [vpn] Advice needed Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Peter, Only the new v2.0 E Appliances support aggressive mode. All the v1.5 E Appliances and the Gauntlet NT VPN gateways only support main mode. Kevin Butters Security Engineer Network Associates Inc. PGP Fingerprint 7AB4 5B76 5FEB 42FD 13A5 0BA6 6DDF 11A5 6570 CE07 - -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: Monday, October 08, 2001 10:59 AM To: Peter Walker; vpn at securityfocus.com Subject: RE: [vpn] Advice needed What you are looking for is an implementation that supports Aggressive mode negotiation. To be honest I haven't seen one yet that didn't but I know nothing about the PGP implementation. I would start searching for material on using Aggressive mode with PGPvpn. - -----Original Message----- From: Peter Walker [mailto:peter at grole.org] Sent: Friday, October 05, 2001 11:27 AM To: vpn at securityfocus.com Subject: [vpn] Advice needed Folks I dont know if any of you out there can offer some advice, but here is my situation At the company where I work for we were sold a PGP/NAI a package that included the necessary licenses to run Gauntlet VPN and PGP clients accross our corporate network. So we now have a gauntlet 5.5 NT VPN server in our head office and a number of road warriors running PGPs VPN client (we liked the personal packet filter/firewall features included) For some people this worked great. For some others the PGP client just plain would not work on their machines (Particularly on IBM laptops for some reason). Due to the problems with the the client software we purchased a number of PGP's new e-ppliance boxes. These were chosen because the should work easily with Gauntlet VPN and they had the built in firewalling, nat and dhcp functionailty we wanted. These dont support certificates for authentication so we had to use pre shared keys, but we were able to live with this. Now we are starting to run in to another problem that I just cant see an easy solution for. A number of the users with the e-ppliances have DSL or Cable internet connections with dynamic IP addresses allocated when they "connect". This is where the big problem is. With network to network IPSEC tunnels using pre-shared keys both Gauntlet VPN and the e-ppliances require that the IP address of the other end of the link be statically defined. What this basically means is that every time the remote users ISP connection is closed down (for whatever reason) they are unable to use the VPN until someone in the head office reconfigures the gauntlet VPN server with their new IP address. This just plain doesnt work for us. We are not in a position where we can just dump everything and start again (both for political and financial reasons). It is possible that we could replace the client end software/hardware for the problem cases, and we could perhaps stretch the budget to an IOS upgrade to a 3DES version on one of our routers, but if I do that I have to be sure that whatever we do do is sure to work. So what would your advice be? Thanks in advance Peter Walker VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO8IJGm3fEaVlcM4HAQKBhgf+Oqh52zhtA3XOFvch7k1EXf/XjU/jugQL DVwx2MBC89O6OdcP/R4/94QYusUPdxRaGa8+wFXbJjp4PeSeND6ol4eHX9hn7xq9 y2zvVtQXAN3NdNCtws6xAzJgONE6912IHEi3jwolV7YTwGTS1nHg0myRy32ztvyE U0MUCgbW3MNhuL9fBKt1siBXsUvxdaFiwMexzy+CmceafEGTwPlVGqe9C9iK+mnU 4+zkICVD8AOFeyTJRvUa7uPt5LTzvTz7wrY7wVV5ce53CQKNnPaEZqIqqtgCxoLy snvi15tJQ4Kuz2qI26ftVv/7QsWNDCUj+ReTZDQaehXgXUv2XQzKhA== =Bg3E -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From hari_kannan at hotmail.com Mon Oct 8 20:00:54 2001 From: hari_kannan at hotmail.com (Hari Kannan) Date: Mon, 08 Oct 2001 17:00:54 -0700 Subject: [vpn] VPN and firewall question Message-ID: Hi, I was hoping if someone would be able to answer this question. I have cable modem connection at home and also use VPN provided by my company to dialin for work related stuff. Will the personal stuff on my PC at home be protected by the company's firewall? And, will someone be able to use my home PC to hack into the company network? i.e. do I need to buy a firewall sftware and install at my home PC? Thanks Hari Kannan _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp VPN is sponsored by SecurityFocus.com From fuller at austin.rr.com Mon Oct 8 22:45:45 2001 From: fuller at austin.rr.com (Fuller) Date: Mon, 8 Oct 2001 21:45:45 -0500 Subject: [vpn] Lan to Lan Message-ID: My LAN is behind a Linksys BEFSR41 router and I'm trying to connect to a friends LAN which is behind Linksys BEFSR11 router for gaming. Is VPN the way to go here to play "LAN" games using existing ISP connections. Both of us are on cable modems. I just don't know where to start. VPN is sponsored by SecurityFocus.com From schowning at home.com Tue Oct 9 11:35:57 2001 From: schowning at home.com (Stephen Chowning) Date: Tue, 09 Oct 2001 08:35:57 -0700 Subject: [vpn] VPN and firewall question References: Message-ID: <3BC3195C.85F43631@home.com> The work firewall will not protect the personal stuff on your PC. The VPN connection should protect the data that you are exchanging with the work LAN. As to whether someone could use your home PC to hack into the company network, I would say that it is possible especially if you don't have a firewall on your home PC. As to whether you "need" to buy firewall software, I would say that you need to only if someone is going to try and hack your computer. Personally, I would. Sincerely, Steve Hari Kannan wrote: > Hi, > > I was hoping if someone would be able to answer this question. > > I have cable modem connection at home and also use VPN provided by my > company to dialin for work related stuff. Will the personal stuff on my PC > at home be protected by the company's firewall? And, will someone be able to > use my home PC to hack into the company network? i.e. do I need to buy a > firewall sftware and install at my home PC? > > Thanks > > Hari Kannan > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > VPN is sponsored by SecurityFocus.com -- --If a word in the dictionary were misspelled, how would we know?-- VPN is sponsored by SecurityFocus.com From markm at advisiontech.com Tue Oct 9 03:45:31 2001 From: markm at advisiontech.com (Mark McDavitt) Date: Tue, 9 Oct 2001 00:45:31 -0700 Subject: [vpn] Lan to Lan Message-ID: <100431A11986244BB8B1BFAC7175D3AC4B20@avtserver.advision.ad> It's my understanding that the Linksys router doesn't support incoming VPN traffic. You can set up an outbound VPN tunnel, and may even be able to allow incoming traffic by opening up the right ports. Then again, without proper encription, it's not a private network. Any thoughts? Mark -----Original Message----- From: Fuller [mailto:fuller at austin.rr.com] Sent: Monday, October 08, 2001 7:46 PM To: vpn at securityfocus.com Subject: [vpn] Lan to Lan My LAN is behind a Linksys BEFSR41 router and I'm trying to connect to a friends LAN which is behind Linksys BEFSR11 router for gaming. Is VPN the way to go here to play "LAN" games using existing ISP connections. Both of us are on cable modems. I just don't know where to start. VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From David_Mason at NAI.com Tue Oct 9 14:21:42 2001 From: David_Mason at NAI.com (Mason, David) Date: Tue, 9 Oct 2001 13:21:42 -0500 Subject: [vpn] VPN and firewall question Message-ID: <8894CA1F87A5D411BD24009027EE7838128327@ROC-76-204.nai.com> I would recommend having a personal firewall and virus scanning installed on your home computer even if the following two additional security precautions are in place. If your home computer ALWAYS goes through the corporate firewall for ALL traffic then your home computer will generally be as safe as any computer that resides within the corporate network (depending on the corporate firewall and how it's setup to handle traffic between the VPN client and the Internet). This setup is sometimes referred to as exclusive gateway - the corporate firewall is the client's one and only route for all traffic. Some firewalls give the administrator the ability to do virus scanning and perform other security precautions on the VPN traffic to and from the VPN client. -dave -----Original Message----- From: Hari Kannan [mailto:hari_kannan at hotmail.com] Sent: Monday, October 08, 2001 8:01 PM To: vpn at securityfocus.com Cc: hkannan at home.com Subject: [vpn] VPN and firewall question Hi, I was hoping if someone would be able to answer this question. I have cable modem connection at home and also use VPN provided by my company to dialin for work related stuff. Will the personal stuff on my PC at home be protected by the company's firewall? And, will someone be able to use my home PC to hack into the company network? i.e. do I need to buy a firewall sftware and install at my home PC? Thanks Hari Kannan _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From proninig at saunalahti.fi Tue Oct 9 13:02:39 2001 From: proninig at saunalahti.fi (Igor Pronin) Date: Tue, 9 Oct 2001 20:02:39 +0300 Subject: [vpn] VPN and firewall question References: Message-ID: <004401c150e4$3730dfc0$0b24e60a@jippii.fi> > I have cable modem connection at home and also use VPN provided by my > company to dialin for work related stuff. Will the personal stuff on my PC > at home be protected by the company's firewall? And, will someone be able to > use my home PC to hack into the company network? 1) If _all_ of your communications goes (and comes) through company firewall you do not need a separate firewall. Why if there is already a firewall? 2) But if part of your communications goes (and comes) through an ISP - and is thereby open to all kind of attacks etc you definitely need a firewall (and don't forget antivirus software - that is a second must nowadays). The VPN is usually securing/crypting the communication between you and your company if a cheap ISP is used to carry the communications. It does not secure against port attacks, trojans, viruses etc from the outside world. You have to understand the difference between a) VPN b) Firewall c) Antivirus > i.e. do I need to buy a > firewall sftware and install at my home PC? > I would recommend that _your_company_ should do that to secure company assets. > Thanks > > Hari Kannan regards Igor.Pronin at iki.fi VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Oct 9 14:26:15 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 9 Oct 2001 11:26:15 -0700 Subject: [vpn] VPN and firewall question Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D45F7@guam.corp.axcelerant.com> No Yes Yes (or a Linksys like device which is the better option as you can then use your single connection with multiple PC's, etc.) -----Original Message----- From: Hari Kannan [mailto:hari_kannan at hotmail.com] Sent: Monday, October 08, 2001 5:01 PM To: vpn at securityfocus.com Cc: hkannan at home.com Subject: [vpn] VPN and firewall question Hi, I was hoping if someone would be able to answer this question. I have cable modem connection at home and also use VPN provided by my company to dialin for work related stuff. Will the personal stuff on my PC at home be protected by the company's firewall? And, will someone be able to use my home PC to hack into the company network? i.e. do I need to buy a firewall sftware and install at my home PC? Thanks Hari Kannan _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Oct 9 16:16:41 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 9 Oct 2001 13:16:41 -0700 Subject: [vpn] VPN and firewall question Message-ID: <4EBB5C35607E7F48B4AE162D956666EF016CD8@guam.corp.axcelerant.com> Just because the only route the PC has while running the VPN client is the corp firewall doesn't mean the PC at home is protected by the corp firewall. That is the old 'if I can't see you, you can't see me' theory and it sucks. f it has an Internet connection then it is susceptible to attacks from others on the Internet. Period. A personal FW, software or hardware, is a MUST if you care about being hacked or DoS'd. The assumption that there is no way to hack a PC running a VPN client is not a safe one to make. You have to consider the potential risk of information that resides locally on that remote system. It isn't necessarily about being able to gain access to the corporate network as much as obtaining sensitive data from the compromised PC. That could be in the form of accounting spreadsheets, contact lists or any number of proprietary and confidential material a remote user might save on their system. Christopher Gripp Systems Engineer Axcelerant -----Original Message----- From: Mason, David [mailto:David_Mason at NAI.com] Sent: Tuesday, October 09, 2001 11:22 AM To: 'Hari Kannan'; vpn at securityfocus.com Cc: hkannan at home.com Subject: RE: [vpn] VPN and firewall question I would recommend having a personal firewall and virus scanning installed on your home computer even if the following two additional security precautions are in place. If your home computer ALWAYS goes through the corporate firewall for ALL traffic then your home computer will generally be as safe as any computer that resides within the corporate network (depending on the corporate firewall and how it's setup to handle traffic between the VPN client and the Internet). This setup is sometimes referred to as exclusive gateway - the corporate firewall is the client's one and only route for all traffic. Some firewalls give the administrator the ability to do virus scanning and perform other security precautions on the VPN traffic to and from the VPN client. -dave -----Original Message----- From: Hari Kannan [mailto:hari_kannan at hotmail.com] Sent: Monday, October 08, 2001 8:01 PM To: vpn at securityfocus.com Cc: hkannan at home.com Subject: [vpn] VPN and firewall question Hi, I was hoping if someone would be able to answer this question. I have cable modem connection at home and also use VPN provided by my company to dialin for work related stuff. Will the personal stuff on my PC at home be protected by the company's firewall? And, will someone be able to use my home PC to hack into the company network? i.e. do I need to buy a firewall sftware and install at my home PC? Thanks Hari Kannan _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From michael.johnson at peregrine.com Tue Oct 9 19:08:47 2001 From: michael.johnson at peregrine.com (Michael Johnson) Date: Tue, 9 Oct 2001 16:08:47 -0700 Subject: [vpn] VPN Setup? Message-ID: <7A07623A9E00784F958A5D04CE3C9A75C1DA2C@pltcaexc1.remedy.com> Hi All. I'm attempting to set up a simple VPN connection for just a few user to access. Can anyone please advise on recommendation or advice for this specific configuration? I have a small business that I'm attempting to allow a few users to access a Windows 2k Server to work from home remotely. I have already opened the ports on a Linksys Router (1723 TCP & 47 UDP) and forwarded them to the Windows 2k Server which is running Routing & Remote Access Services. I'm able to successfully logon to this server and authenticate, but am not able to map to any network resources or shares. I'm attempting to accomplish this using only 1 NIC, can this be the issue, or is there a way to get this to work with just one NIC. There really will not be much use of this by the customer, but they want the functionality if they need to work from home. Any help or advice would be GREATLY appreciated. Thanks in advance. Sincerely, Mike Johnson VPN is sponsored by SecurityFocus.com From mark.priebatsch at activcard.com.au Wed Oct 10 14:11:54 2001 From: mark.priebatsch at activcard.com.au (Mark Priebatsch) Date: Thu, 11 Oct 2001 04:11:54 +1000 Subject: [vpn] VPN and firewall question In-Reply-To: <4EBB5C35607E7F48B4AE162D956666EF016CD8@guam.corp.axcelerant.com> Message-ID: Sorry could you explain further. If the client is running a VPN client to a VPN gateway and it has been set that it will only receive encrypted traffic on its network interface when connected to/from the VPN gateway, then how can another Internet user get access to the PC while connected. (0.0.0.0/0.0.0.0 is handled by teh VPN Gateway. I know that this has some requirements on the IPSec driver. I am not covering off the scenarios of when not VPN connected, and/or the IPSsec driver running in passive/unconnected mode, just for when the PC is connected. regards, _Mark -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: 10 October 2001 06:17 To: Mason, David; Hari Kannan; vpn at securityfocus.com Cc: hkannan at home.com Subject: RE: [vpn] VPN and firewall question Just because the only route the PC has while running the VPN client is the corp firewall doesn't mean the PC at home is protected by the corp firewall. That is the old 'if I can't see you, you can't see me' theory and it sucks. f it has an Internet connection then it is susceptible to attacks from others on the Internet. Period. A personal FW, software or hardware, is a MUST if you care about being hacked or DoS'd. The assumption that there is no way to hack a PC running a VPN client is not a safe one to make. You have to consider the potential risk of information that resides locally on that remote system. It isn't necessarily about being able to gain access to the corporate network as much as obtaining sensitive data from the compromised PC. That could be in the form of accounting spreadsheets, contact lists or any number of proprietary and confidential material a remote user might save on their system. Christopher Gripp Systems Engineer Axcelerant -----Original Message----- From: Mason, David [mailto:David_Mason at NAI.com] Sent: Tuesday, October 09, 2001 11:22 AM To: 'Hari Kannan'; vpn at securityfocus.com Cc: hkannan at home.com Subject: RE: [vpn] VPN and firewall question I would recommend having a personal firewall and virus scanning installed on your home computer even if the following two additional security precautions are in place. If your home computer ALWAYS goes through the corporate firewall for ALL traffic then your home computer will generally be as safe as any computer that resides within the corporate network (depending on the corporate firewall and how it's setup to handle traffic between the VPN client and the Internet). This setup is sometimes referred to as exclusive gateway - the corporate firewall is the client's one and only route for all traffic. Some firewalls give the administrator the ability to do virus scanning and perform other security precautions on the VPN traffic to and from the VPN client. -dave -----Original Message----- From: Hari Kannan [mailto:hari_kannan at hotmail.com] Sent: Monday, October 08, 2001 8:01 PM To: vpn at securityfocus.com Cc: hkannan at home.com Subject: [vpn] VPN and firewall question Hi, I was hoping if someone would be able to answer this question. I have cable modem connection at home and also use VPN provided by my company to dialin for work related stuff. Will the personal stuff on my PC at home be protected by the company's firewall? And, will someone be able to use my home PC to hack into the company network? i.e. do I need to buy a firewall sftware and install at my home PC? Thanks Hari Kannan _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From skr at hub.nic.in Wed Oct 10 08:11:39 2001 From: skr at hub.nic.in (skr) Date: Wed, 10 Oct 2001 17:41:39 +0530 Subject: [vpn] VPN authentication Message-ID: <3BC43AFB.7F7B3F8B@hub.nic.in> My question is.. Is there any VPN product which supprorts User ID+ Password+MAC Address authentication..over WAN. Is there any VPN product which supports three part authentication User ID + Password + anything..(excluding secure ID, Digital ertificate, Radius ) say one more password sk roy skr at hub.nic.in VPN is sponsored by SecurityFocus.com From carson at taltos.org Wed Oct 10 15:51:12 2001 From: carson at taltos.org (Carson Gaspar) Date: Wed, 10 Oct 2001 15:51:12 -0400 Subject: [vpn] New PocketPC VPN client Message-ID: <26706962.1002729072@CJECW95G6PXXT> Has anyone taken a look at the "VPN Client" included with the PocketPC 2002 handhelds? Information on Microsoft's web site is non-extant, as far as I can tell. -- Carson VPN is sponsored by SecurityFocus.com From Igor.Pronin at Elma.Net Wed Oct 10 16:26:52 2001 From: Igor.Pronin at Elma.Net (Igor Pronin) Date: Wed, 10 Oct 2001 23:26:52 +0300 Subject: [vpn] VPN and firewall question References: Message-ID: <004d01c151c9$e6092580$0b24e60a@jippii.fi> ----- Original Message ----- From: "Mark Priebatsch" > Sorry could you explain further. If the client is running a VPN client to a > VPN gateway and it has been set that it will only receive encrypted traffic Some kind of a firewall ? Is it also restricted by the sender IP address i.e. only VPN Gateway allowed? > on its network interface when connected to/from the VPN gateway, then how > can another Internet user get access to the PC while connected. > (0.0.0.0/0.0.0.0 is handled by teh VPN Gateway. I know that this has some > requirements on the IPSec driver. > > I am not covering off the scenarios of when not VPN connected, and/or the > IPSsec driver running in passive/unconnected mode, just for when the PC is > connected. At least the network/VPN I am administering has VPN and ordinary, uncrypted connections (all outgoing) at the same time the only difference being the destination IP address - only communications to company Intranet is VPN (IPSec). Incoming communications is restricted by firewall. I can have some connections open through the VPN tunnel and other connections uncrypted both going through the ISP used. In practice all VPN connections are to my company and uncrypted connections elsewhere. So the computer is all the time "open" to the net (but secured by the firewall). VPN (IPsec) is not equal Firewall. They have different functions and can be different boxes and/or programs but can be combined in the same box and/or program. They take care of different sides of the security problem. And BTW there still is the security problem which cannot be covered by any box nor program: human negligence and/or error and similar. regards Igor.Pronin at iki.fi VPN is sponsored by SecurityFocus.com From Mayo at ctgi.com Wed Oct 10 16:05:46 2001 From: Mayo at ctgi.com (Mayo Simer) Date: Wed, 10 Oct 2001 13:05:46 -0700 Subject: [vpn] VPN on Cisco 2514 Message-ID: <2AF878AB9449D411A68B00609709611A22C3F0@SCCMAIN> Hi, I'm trying to configure VPN on a Cisco 2514, IOS 12.2 w/ firewall IOS. The remote users (Windows NT 4.0 clients) should be able to get into the corporate network using PPTP. Can someone help me to configure this on the router? Thanks Simer Mayo VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Wed Oct 10 18:47:11 2001 From: crenner at dynalivery.com (Chuck Renner) Date: Wed, 10 Oct 2001 17:47:11 -0500 Subject: [vpn] VPN with NAT Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63EF62@novac.dynalivery.com> Here's my current network situation: Internet-----Router-----LRP box----Private Network The LRP box is a system running a floppy-based version of the Linux Router Project. It is the default gateway for all systems on the private network (192.168.1.x), and provides NAT services and firewalling. Now, I have a few remote employees that I'd like to connect to the private network via a Cisco Secure PIX 506 box. Ideally, I'd like to have something like this: Internet-----Router-----LRP box----Private Network | | --------PIX 506--------- I only want to use the PIX to terminate the VPN clients, not have it replace the LRP box. I've been considering the following ideas to make things work correctly, and would like feedback or suggestions: 1) I can add a second network card to each system that I want to make available via the VPN. This will require extra cabling and requires a lot of opening of boxes. 2) Via RIP, have the systems on the private network update their routing tables so that the traffic for any remote system connecting to the PIX will be routed back through the PIX. Only problem is I don't know if the PIX provides any capability for this kind of thing. 3) Replace the LRP box with the PIX, so all traffic flows through it. 4) Any methods anyone else can recommend... VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Oct 10 19:00:15 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 10 Oct 2001 16:00:15 -0700 Subject: [vpn] VPN with NAT Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D460A@guam.corp.axcelerant.com> It's a non issue. Add routes on the LRP box that point to the inside of the PIX for all remote subnets. -----Original Message----- From: Chuck Renner [mailto:crenner at dynalivery.com] Sent: Wednesday, October 10, 2001 3:47 PM To: vpn at securityfocus.com Subject: [vpn] VPN with NAT Here's my current network situation: Internet-----Router-----LRP box----Private Network The LRP box is a system running a floppy-based version of the Linux Router Project. It is the default gateway for all systems on the private network (192.168.1.x), and provides NAT services and firewalling. Now, I have a few remote employees that I'd like to connect to the private network via a Cisco Secure PIX 506 box. Ideally, I'd like to have something like this: Internet-----Router-----LRP box----Private Network | | --------PIX 506--------- I only want to use the PIX to terminate the VPN clients, not have it replace the LRP box. I've been considering the following ideas to make things work correctly, and would like feedback or suggestions: 1) I can add a second network card to each system that I want to make available via the VPN. This will require extra cabling and requires a lot of opening of boxes. 2) Via RIP, have the systems on the private network update their routing tables so that the traffic for any remote system connecting to the PIX will be routed back through the PIX. Only problem is I don't know if the PIX provides any capability for this kind of thing. 3) Replace the LRP box with the PIX, so all traffic flows through it. 4) Any methods anyone else can recommend... VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Wed Oct 10 19:04:27 2001 From: crenner at dynalivery.com (Chuck Renner) Date: Wed, 10 Oct 2001 18:04:27 -0500 Subject: [vpn] VPN with NAT Message-ID: <1D5FFAF04EC5D31182CD00508B5502BD63EF66@novac.dynalivery.com> Ok...so set it up like in my second diagram, and instead of having the LRP box route outbound traffic through it's external interface, shoot the traffic into the PIX? Sounds sensible enough.... > -----Original Message----- > From: Christopher Gripp [mailto:cgripp at axcelerant.com] > Sent: Wednesday, October 10, 2001 6:00 PM > To: Chuck Renner; vpn at securityfocus.com > Subject: RE: [vpn] VPN with NAT > > > It's a non issue. Add routes on the LRP box that point to > the inside of > the PIX for all remote subnets. > > -----Original Message----- > From: Chuck Renner [mailto:crenner at dynalivery.com] > Sent: Wednesday, October 10, 2001 3:47 PM > To: vpn at securityfocus.com > Subject: [vpn] VPN with NAT > > > Here's my current network situation: > > Internet-----Router-----LRP box----Private Network > > The LRP box is a system running a floppy-based version of the Linux > Router > Project. It is the default gateway for all systems on the private > network > (192.168.1.x), and provides NAT services and firewalling. > > Now, I have a few remote employees that I'd like to connect to the > private > network via a Cisco Secure PIX 506 box. Ideally, I'd like to have > something > like this: > > Internet-----Router-----LRP box----Private Network > | | > --------PIX 506--------- > > > I only want to use the PIX to terminate the VPN clients, not have it > replace > the LRP box. I've been considering the following ideas to make things > work > correctly, and would like feedback or suggestions: > > 1) I can add a second network card to each system that I want to make > available via the VPN. This will require extra cabling and requires a > lot > of opening of boxes. > > 2) Via RIP, have the systems on the private network update their > routing > tables so that the traffic for any remote system connecting to the PIX > will > be routed back through the PIX. Only problem is I don't know > if the PIX > provides any capability for this kind of thing. > > 3) Replace the LRP box with the PIX, so all traffic flows > through it. > > 4) Any methods anyone else can recommend... > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Oct 10 19:20:26 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 10 Oct 2001 16:20:26 -0700 Subject: [vpn] VPN with NAT Message-ID: <4EBB5C35607E7F48B4AE162D956666EF016CDC@guam.corp.axcelerant.com> Not ALL of the traffic, just that trafic that is bound for the remote subnets of the VPN users. Of course the most straightforward solution is replace the LRP with the PIX or vice versa and use one box for both VPN and Firewalling. But that gets into the symantics of wether you want to combine those functions. Using a PIX just for a VPN is, in my opinion, not the best solution. There are much better VPN/Firewall appliances. But if you have already made the PIX purchase you might as well use it. Another option is replace the LRP with the PIX and then get another VPN appliance or convert the LRP to a FreeS/WAN box and stick it off an interface of the PIX. Like so... internet-----router-------pix-----------------LAN | | | | ---some vpn box--- That way the outside of the vpn box is protected by the PIX and you can still play the routing games to bounce packets from the pix to the vpn box. Basically there a million ways to do this. If you want to make the FEWEST changes possible. Take my first suggestion. If you want to maximize security/flexibility look into the other options. Christopher Gripp Systems Engineer Axcelerant -----Original Message----- From: Chuck Renner [mailto:crenner at dynalivery.com] Sent: Wednesday, October 10, 2001 4:04 PM To: Christopher Gripp; vpn at securityfocus.com Subject: RE: [vpn] VPN with NAT Ok...so set it up like in my second diagram, and instead of having the LRP box route outbound traffic through it's external interface, shoot the traffic into the PIX? Sounds sensible enough.... > -----Original Message----- > From: Christopher Gripp [mailto:cgripp at axcelerant.com] > Sent: Wednesday, October 10, 2001 6:00 PM > To: Chuck Renner; vpn at securityfocus.com > Subject: RE: [vpn] VPN with NAT > > > It's a non issue. Add routes on the LRP box that point to > the inside of > the PIX for all remote subnets. > > -----Original Message----- > From: Chuck Renner [mailto:crenner at dynalivery.com] > Sent: Wednesday, October 10, 2001 3:47 PM > To: vpn at securityfocus.com > Subject: [vpn] VPN with NAT > > > Here's my current network situation: > > Internet-----Router-----LRP box----Private Network > > The LRP box is a system running a floppy-based version of the Linux > Router > Project. It is the default gateway for all systems on the private > network > (192.168.1.x), and provides NAT services and firewalling. > > Now, I have a few remote employees that I'd like to connect to the > private > network via a Cisco Secure PIX 506 box. Ideally, I'd like to have > something > like this: > > Internet-----Router-----LRP box----Private Network > | | > --------PIX 506--------- > > > I only want to use the PIX to terminate the VPN clients, not have it > replace > the LRP box. I've been considering the following ideas to make things > work > correctly, and would like feedback or suggestions: > > 1) I can add a second network card to each system that I want to make > available via the VPN. This will require extra cabling and requires a > lot > of opening of boxes. > > 2) Via RIP, have the systems on the private network update their > routing > tables so that the traffic for any remote system connecting to the PIX > will > be routed back through the PIX. Only problem is I don't know > if the PIX > provides any capability for this kind of thing. > > 3) Replace the LRP box with the PIX, so all traffic flows > through it. > > 4) Any methods anyone else can recommend... > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From Igor.Pronin at Elma.Net Thu Oct 11 05:07:55 2001 From: Igor.Pronin at Elma.Net (Igor Pronin) Date: Thu, 11 Oct 2001 12:07:55 +0300 Subject: Vs: [vpn] VPN and firewall question Message-ID: <005f01c15234$4a1a5020$21d1d7c2@tirana.elma.fi> >> Sorry could you explain further. If the client is running a VPN >client to a >> VPN gateway and it has been set that it will only receive encrypted >traffic > >Some kind of a firewall ? Is it also restricted by the sender IP address >i.e. only VPN Gateway allowed? > >Not certain I understand what you mean here. I am not saying that it is >providing firewall functions, just that on the client it only allows >communications to and from the VPN gateway. The VPN gateway is behind a >firewall etc. > Isn't it providing "firewall functions" if it restricts communication from all other places except the VPN gateway? What else do you mean with "firewall functions" except restricting communications? And if the the sole access VPN Gateway is behind a firewall your computer is behind that firewall, too. The next question is how the VPN Client is running: if all the time then the next question of course is who has access to the gateway and what kind of security/firewall it has? If the VPN client is only run from time to time - i.e. when acces to the company intranet is needed - what happens in the meantime. Is your computer running, connected to Internet through the ISP - then you definitely need a separate firewall as the VPN access restrictions do not apply. >Agreed - the model is along the lines of: > > Internet > ^ > | >CLIENT <---(via Internet)----F/W------->VPN GATEWAY -----> Intranet > | | > ========================================== (IPSec tunnel) > Does the picture above show two separate connections? 1) CLIENT ---> (up) Internet 2) CLIENT ---> (to the right) To Intranet >Client network interface set to only accept authenticated/encrypted packets >from the gateway. If the picture is to be interpreted that you have 2 separate connections how is the alternative 1) secured? >All routing for the Client when connected is via the >Gateway. Main purpose would be to stop Internet Hi-Jacking > regards Igor.Pronin at iki.fi VPN is sponsored by SecurityFocus.com From shope at energis-eis.co.uk Thu Oct 11 08:13:21 2001 From: shope at energis-eis.co.uk (Stephen Hope) Date: Thu, 11 Oct 2001 13:13:21 +0100 Subject: [vpn] VPN authentication Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458EA0@email.datarange.co.uk> roy, WAN does not have MAC addresses.... if you have an Ethernet, then MAC is local to that PC and the nearest router interface. and a sniffer or various other software can make a PC ethernet card have an arbitary MAC address anyway. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: skr [mailto:skr at hub.nic.in] > Sent: 10 October 2001 13:12 > To: vpn at securityfocus.com > Subject: [vpn] VPN authentication > > > My question is.. > > Is there any VPN product which supprorts User ID+ Password+MAC Address > authentication..over WAN. > > Is there any VPN product which supports three part authentication User > ID + Password + anything..(excluding secure ID, Digital ertificate, > Radius ) say one more password > > > sk roy > skr at hub.nic.in > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From raymond.berkoh at hays-hps.com Thu Oct 11 07:09:17 2001 From: raymond.berkoh at hays-hps.com (Berkoh, Raymond - HPS) Date: Thu, 11 Oct 2001 12:09:17 +0100 Subject: [vpn] Raymond ( my project) Message-ID: <383A581564B2D511801D000103CF2C94089871@HPSMS07> could u please e-mail information on any two or more companies that uses VPN as part of their network. this will help me to provide in my own words a critical review of how VPN is important within any organisations ********************************************************************** This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify the Hays Group Email Helpdesk at email.helpdesk at hays.plc.uk Any information, statements or opinions contained in this message (including any attachments) are given by the author. They are not given on behalf of Hays unless subsequently confirmed by an individual other than the author who is duly authorised to represent Hays. A member of the Hays plc group of companies. Hays plc is registered in England and Wales number 2150950. Registered Office Hays House Millmead Guildford Surrey GU2 4HJ. ********************************************************************** VPN is sponsored by SecurityFocus.com From mark.priebatsch at activcard.com.au Thu Oct 11 04:27:47 2001 From: mark.priebatsch at activcard.com.au (Mark Priebatsch) Date: Thu, 11 Oct 2001 18:27:47 +1000 Subject: [vpn] VPN and firewall question In-Reply-To: <004d01c151c9$e6092580$0b24e60a@jippii.fi> Message-ID: -----Original Message----- From: Igor Pronin [mailto:Igor.Pronin at Elma.Net] Sent: 11 October 2001 06:27 To: vpn at securityfocus.com Subject: Re: [vpn] VPN and firewall question ----- Original Message ----- From: "Mark Priebatsch" > Sorry could you explain further. If the client is running a VPN client to a > VPN gateway and it has been set that it will only receive encrypted traffic Some kind of a firewall ? Is it also restricted by the sender IP address i.e. only VPN Gateway allowed? Not certain I understand what you mean here. I am not saying that it is providing firewall functions, just that on the client it only allows communications to and from the VPN gateway. The VPN gateway is behind a firewall etc. > on its network interface when connected to/from the VPN gateway, then how > can another Internet user get access to the PC while connected. > (0.0.0.0/0.0.0.0 is handled by teh VPN Gateway. I know that this has some > requirements on the IPSec driver. > > I am not covering off the scenarios of when not VPN connected, and/or the > IPSsec driver running in passive/unconnected mode, just for when the PC is > connected. At least the network/VPN I am administering has VPN and ordinary, uncrypted connections (all outgoing) at the same time the only difference being the destination IP address - only communications to company Intranet is VPN (IPSec). Incoming communications is restricted by firewall. I can have some connections open through the VPN tunnel and other connections uncrypted both going through the ISP used. In practice all VPN connections are to my company and uncrypted connections elsewhere. So the computer is all the time "open" to the net (but secured by the firewall). VPN (IPsec) is not equal Firewall. They have different functions and can be different boxes and/or programs but can be combined in the same box and/or program. They take care of different sides of the security problem. And BTW there still is the security problem which cannot be covered by any box nor program: human negligence and/or error and similar. Agreed - the model is along the lines of: Internet ^ | CLIENT <---(via Internet)----F/W------->VPN GATEWAY -----> Intranet | | ========================================== (IPSec tunnel) Client network interface set to only accept authenticated/encrypted packets from the gateway. All routing for the Client when connected is via the Gateway. Main purpose would be to stop Internet Hi-Jacking regards Igor.Pronin at iki.fi VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From computerguy at tciway.tc Thu Oct 11 16:33:41 2001 From: computerguy at tciway.tc (The Computer Guy) Date: Thu, 11 Oct 2001 16:33:41 -0400 Subject: [vpn] Fw: VPN Message-ID: <005401c15294$041afec0$9500a8c0@john> ----- Original Message ----- From: "Tina Bird" To: "The Computer Guy" Sent: Thursday, October 11, 2001 12:35 PM Subject: Re: VPN > pls forward to vpn at securityfocus.com > > On Thu, 11 Oct 2001, The Computer Guy wrote: > > > Date: Thu, 11 Oct 2001 09:34:00 -0400 > > From: The Computer Guy > > To: tbird at precision-guesswork.com > > Subject: VPN > > > > First let me say that I don't have a clue! > > > > I need a VPN solution for a client and I don't feel that software is the way to go. I'll give you a little more info on the exact application in the hopes that you can either help me out or steer me toward a solution. > > > > Client is "Offshore". They communicate through the Internet using a Sat. connection from a small island in the Caribbean. Highest speed is T1. What I propose to do is create a VPN link to a service provider in Nassau. In this way, I hope to provide the client with "anonimity". That is, no one can trace him past Nassau. We have installed a Proxy Server here and that seems to keep him safe from prying eyes. The big concern is that the information being transferred can be "examined" and the source determined. > > > > My inclination is to install a VPN device at each end. Is this a good idea? Which device should I look into? What do I need to be aware of? > > > > Sincerely, > > > > John Lawson > > > > "I was being patient, but it took too long." - > Buffy the Vampire Slayer > > LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > VPN is sponsored by SecurityFocus.com From rick_smith at securecomputing.com Thu Oct 11 18:13:43 2001 From: rick_smith at securecomputing.com (Rick Smith at Secure Computing) Date: Thu, 11 Oct 2001 17:13:43 -0500 Subject: [vpn] VPN authentication In-Reply-To: <3BC43AFB.7F7B3F8B@hub.nic.in> Message-ID: <4.3.2.7.0.20011011165328.01b26d10@STPNTMX03.sctc.com> At 07:11 AM 10/10/2001, skr wrote: >Is there any VPN product which supprorts User ID+ Password+MAC Address >authentication..over WAN. I don't think so, and the reason is because the MAC address isn't a reliable identifier. Many (most?) NICs allow you to replace the MAC address. If you're worried about an attacker capturing your user ID and password, then you run the same risk with the MAC address. >Is there any VPN product which supports three part authentication User >ID + Password + anything..(excluding secure ID, Digital ertificate, >Radius ) say one more password If one password isn't providing the protection you need, then a second password, or a longer password, probably won't improve matters. If someone is asking you for "two factor authentication" then you're trying to do the wrong things. You need to combine memorized data (the password or PIN) with a personal authentication device (like one of those tokens) or a biometric reading. You don't get two factors by using two passwords. Rick. smith at securecomputing.com roseville, minnesota "Authentication" in bookstores http://www.visi.com/crypto/ VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Oct 11 18:47:52 2001 From: sandy at storm.ca (Sandy Harris) Date: Thu, 11 Oct 2001 18:47:52 -0400 Subject: [vpn] Raymond ( my project) References: <383A581564B2D511801D000103CF2C94089871@HPSMS07> Message-ID: <3BC62198.68EB322D@storm.ca> "Berkoh, Raymond - HPS" wrote: > > could u please e-mail information on any two or more companies that uses VPN > as part of their network. this will help me to provide in my own words a > critical review of how VPN is important within any organisations Look on Bellovin's papers page: http://www.research.att.com/~smb/papers/index.html for the ""Moat: A Virtual Private Network Appliance and Services Platform" paper. It describes AT&T Research's VPN from the office to employees' homes. A few 100 nodes, using cheap off-the-shelf PCs, and implemented entirely with free Open Source software, Linux and FreeS/WAN (www.freeswan.org). VPN is sponsored by SecurityFocus.com From sailnit at speakeasy.net Thu Oct 11 18:54:22 2001 From: sailnit at speakeasy.net (Scott Armstrong) Date: Thu, 11 Oct 2001 15:54:22 -0700 Subject: [vpn] VPN authentication In-Reply-To: <4.3.2.7.0.20011011165328.01b26d10@STPNTMX03.sctc.com> Message-ID: >Is there any VPN product which supports three part authentication User >ID + Password + anything..(excluding secure ID, Digital ertificate, >Radius ) say one more password Not sure if it's exactly what you are looking for, but maybe something like this: http://www.passgo.com/products/defender/ or http://freshmeat.net/projects/skey/ which are one time password generation systems (user name plus a response which is generated from a combination of a user password and server challenge). Then you could look for stuff that integrates with S/Key or Defender. HTH, Scott VPN is sponsored by SecurityFocus.com From saggour at gmx.net Fri Oct 12 01:50:56 2001 From: saggour at gmx.net (Shereen aggour) Date: Fri, 12 Oct 2001 07:50:56 +0200 (MEST) Subject: [vpn] Raymond ( my project) References: <383A581564B2D511801D000103CF2C94089871@HPSMS07> Message-ID: <24383.1002865856@www54.gmx.net> Actually I need your help as well for a project of mine that is to state the differences between VPNs over IP oppossed to those over frame relay. If you can provide me with information, that would be graet. Thanks, -- Sent through GMX FreeMail - http://www.gmx.net VPN is sponsored by SecurityFocus.com From schowning at home.com Fri Oct 12 13:53:48 2001 From: schowning at home.com (Stephen Chowning) Date: Fri, 12 Oct 2001 10:53:48 -0700 Subject: [vpn] VPN and MacIntosh Message-ID: <3BC72E28.86A12183@home.com> I am trying to decide on software/hardware to implement a Mac to Mac VPN over two cable modem connections. I am trying to decide between a linux software based solution and a Mac capable hardware solution. My biggest area of concern is being able to negotiate an AppleTalk connection. The Mac capable hardware vendors list AppleTalk ad-on software to make their hardware AppleTalk friendly, thereby significantly increasing the implementation costs. This makes the linux solution much more attractive. But since I have never implemented a VPN of any kind, much less an Mac to Mac, I was wondering if anyone has had any experience with VPN for Macs and would be willing to advise me. So could a linux solution negotiate an AppleTalk connection? TIA, Steve Chowning -- --If rabbits' feet are so lucky, then what happened to the rabbit?-- VPN is sponsored by SecurityFocus.com From stephen.hope at energis.com Fri Oct 12 16:58:41 2001 From: stephen.hope at energis.com (Stephen Hope) Date: Fri, 12 Oct 2001 21:58:41 +0100 Subject: [vpn] Raymond ( my project) Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458EB0@email.datarange.co.uk> Shereen, 1st the cop out - all this is my opinions, and biased by what i know and what i have done before. VPN is term for a logical network running over a different network. Many practical systems actually are "VPNs" at different levels. The first VPNs were X.25, voice networks (or others) - it depends on who you ask. Most common use in data networking is for a higher security IP network which uses an underlying lower security IP network, (ie. a company remote access system via the Internet) but there are lots of other useful applications. There are several common ways of providing a VPN over IP - standard ones include GRE (IP tunnel over IP, IPsec (encryption with optional IP over IP), L2TP, SSL. Proprietary ones include IPsec over UDP in several different flavours, L2F and PPTP IPsec is one way of providing IP over IP networks. Frame relay can be (and usually is) a VPN when provided by a carrier - the carrier has a backbone which supports multiple customers, and each customer "sees" a logical subset of all connections. However, "real" Frame Relay is just an interface definition, the underlying backbone may be other types of network - e.g. the old Magellan switch used an underlying IP network, Newbridge / Alcatel switches use ATM and some recent kit uses MPLS. That customer may just put native IP over their frame cloud. Or, if they want better security, they may put IPsec over IP over Frame, typically just for the encryption support if it is a private network. In that case we have 3 flavours of VPN running in the same system at different layers of the protocol stack IPsec over IP over Frame presentation over IP..... And each layer needs management, and takes its own overhead costs in terms of bandwidth, processing and potential for faults...... And that is why a lot of "data only" network architects are pushing IP as the underlying protocol - fewer layers and more consistency. Of course, when you carry voice over IP then you add just as many layers which are even more complex - but that is a different argument. So, your Q needs a bit more detail before we can give you specific answers. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Shereen aggour [mailto:saggour at gmx.net] > Sent: 12 October 2001 06:51 > To: vpn at securityfocus.com > Cc: Berkoh Raymond - HPS > Subject: Re: [vpn] Raymond ( my project) > > > Actually I need your help as well for a project of mine that > is to state the > differences between VPNs over IP oppossed to those over frame relay. > > If you can provide me with information, that would be graet. > > Thanks, > > -- > Sent through GMX FreeMail - http://www.gmx.net > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From stephen.hope at energis.com Mon Oct 15 04:54:30 2001 From: stephen.hope at energis.com (Stephen Hope) Date: Mon, 15 Oct 2001 09:54:30 +0100 Subject: [vpn] Raymond ( my project) Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458EB2@email.datarange.co.uk> Raymond, the answer as usual is - it depends. usually VPN is a way of getting better price / performance than for a dedicated network. The idea is you use part of a shared system (the Internet, or the public voice system) rather than dedicated equipment, lines etc, so it costs less. With this definition, Frame Relay is also a VPN, since it uses a carrier backbone you share with others. But, then you need security to make sure that your stuff is not accessible to others. You also need some way to make sure you get the performance you need from a shared system - after all if the carrier cant overcommit the backbone (so that there is less capacity than the worst case needed by all the customers added up, plus the extra overheads) then there is little or no economy of scale from the carrier perspective, and that should bear some relation to what you pay. The implicit assumption is that most of the costs are in the shared bit and that the extra VPN complexity is more than offset by these cost savings - if not then the resulting system may cost more than dedicated systems. If you look at where VPNs are most popular, then this does follow the "cost model". Most common uses are: international site to site connections, international remote access, national remote access, national site to site within a large country such as USA. In practise most large companies end up with a hybrid - VPN maybe for awkward to reach offices in other countries, and international remote access, dedicated Frame for "local" offices, ISDN dial in for remote access in countries where you have local support. It also means that national stuff in smaller countries such as the UK is less attactive for VPN - the backbone is a smaller proportion of the system. >From a technical perspective - VPN means trading complexity for service cost savings. This means that if service cost dominates for your applications, then this is a good solution (e.g. international remote access). If other costs dominate (i.e. you run a 24 by 7 helpdesk and fly engineers to other countries to sort lap top problems), then it may not make sense to complicate the system design over a dedicated system. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Berkoh, Raymond - HPS [mailto:raymond.berkoh at hays-hps.com] > Sent: 15 October 2001 09:34 > To: 'Stephen Hope' > Subject: RE: [vpn] Raymond ( my project) > > > can you give me some sort of critical review on the benefits > of VPN within > any organisations > cheer for your previous information > ray > > -----Original Message----- > From: Stephen Hope [mailto:stephen.hope at energis.com] > Sent: 12 October 2001 21:59 > To: 'Shereen aggour'; vpn at securityfocus.com > Cc: Berkoh Raymond - HPS > Subject: RE: [vpn] Raymond ( my project) > > > Shereen, > > 1st the cop out - all this is my opinions, and biased by what > i know and > what i have done before. > > VPN is term for a logical network running over a different > network. Many > practical systems actually are "VPNs" at different levels. > The first VPNs > were X.25, voice networks (or others) - it depends on who you ask. > > Most common use in data networking is for a higher security > IP network which > uses an underlying lower security IP network, (ie. a company > remote access > system via the Internet) but there are lots of other useful > applications. > > There are several common ways of providing a VPN over IP - > standard ones > include GRE (IP tunnel over IP, IPsec (encryption with > optional IP over IP), > L2TP, SSL. Proprietary ones include IPsec over UDP in several > different > flavours, L2F and PPTP > > IPsec is one way of providing IP over IP networks. > > Frame relay can be (and usually is) a VPN when provided by a > carrier - the > carrier has a backbone which supports multiple customers, and > each customer > "sees" a logical subset of all connections. However, "real" > Frame Relay is > just an interface definition, the underlying backbone may be > other types of > network - e.g. the old Magellan switch used an underlying IP network, > Newbridge / Alcatel switches use ATM and some recent kit uses MPLS. > > That customer may just put native IP over their frame cloud. > Or, if they > want better security, they may put IPsec over IP over Frame, > typically just > for the encryption support if it is a private network. > > In that case we have 3 flavours of VPN running in the same system at > different layers of the protocol stack IPsec over IP over > Frame presentation > over IP..... > > And each layer needs management, and takes its own overhead > costs in terms > of bandwidth, processing and potential for faults...... > > And that is why a lot of "data only" network architects are > pushing IP as > the underlying protocol - fewer layers and more consistency. > Of course, when > you carry voice over IP then you add just as many layers > which are even more > complex - but that is a different argument. > > So, your Q needs a bit more detail before we can give you > specific answers. > > regards > > Stephen > > Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, > Energis UK, WWW: http://www.energis.com > Carrington Business Park, Carrington, Manchester , UK. M31 4ZU > Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 > 4189 > > > > -----Original Message----- > > From: Shereen aggour [mailto:saggour at gmx.net] > > Sent: 12 October 2001 06:51 > > To: vpn at securityfocus.com > > Cc: Berkoh Raymond - HPS > > Subject: Re: [vpn] Raymond ( my project) > > > > > > Actually I need your help as well for a project of mine that > > is to state the > > differences between VPNs over IP oppossed to those over frame relay. > > > > If you can provide me with information, that would be graet. > > > > Thanks, > > > > -- > > Sent through GMX FreeMail - http://www.gmx.net > > > > > > VPN is sponsored by SecurityFocus.com > > > > > ********************************************************************** > This message (including any attachments) is confidential and may be > legally privileged. If you are not the intended recipient, > you should > not disclose, copy or use any part of it - please delete all copies > immediately and notify the Hays Group Email Helpdesk at > email.helpdesk at hays.plc.uk > Any information, statements or opinions contained in this message > (including any attachments) are given by the author. They are not > given on behalf of Hays unless subsequently confirmed by an individual > other than the author who is duly authorised to represent Hays. > > A member of the Hays plc group of companies. > Hays plc is registered in England and Wales number 2150950. > Registered Office Hays House Millmead Guildford Surrey GU2 4HJ. > ********************************************************************** > VPN is sponsored by SecurityFocus.com From Milan.Mithbaokar at lntinfotech.com Tue Oct 16 02:26:37 2001 From: Milan.Mithbaokar at lntinfotech.com (Milan.Mithbaokar at lntinfotech.com) Date: Tue, 16 Oct 2001 11:56:37 +0530 Subject: [vpn] Check-point IKE VPn problem... Message-ID: Hello , We are facing problems in setting one of the VPN and following is the problem description : we are using Check-point Firewall with a centralised Mgmt module. This VPN where we are facing problems is not having mgmt module.It just has Firewall module and the policies are pushed from the centralised mgmt module onto this Firewall module. we are setting up an IKE VPN with one of our clients. This particular Firewall already has two more OKE Vpns and they seem to be working fine but the moment we start this VPN our other two VPN's also break down and apart from that this particular VPN also does not come up. we have setup following rules for this VPN : source F/W destination F/w encrypt betwen encryption domains encrypt. Any help on the same. Thanks & regards / Milan VPN is sponsored by SecurityFocus.com From rage at dial.eunet.ch Sat Oct 20 05:42:26 2001 From: rage at dial.eunet.ch (AlanCB) Date: Sat, 20 Oct 2001 11:42:26 +0200 (CEST) Subject: [vpn] Re: vpn nfs (fwd) Message-ID: -- GnuPG (PGP 5.x compatible) public key at http://www.math.ethz.ch/~rage ---------- Forwarded message ---------- Date: Fri, 19 Oct 2001 18:50:07 -0500 (CDT) From: Tina Bird To: AlanCB Subject: Re: vpn nfs pls forward to vpn at securityfocus.com On Fri, 19 Oct 2001, AlanCB wrote: > Date: Fri, 19 Oct 2001 22:11:03 +0200 (CEST) > From: AlanCB > To: tbird at precision-guesswork.com > Subject: vpn nfs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hallo Tina > > Thanks for your great site on vpn's. I took a good look through it, > however I didnt find the information I need. Perhaps you could show give > me some tips where to look, or maybe even assist me in this matter. I've > been a sysadmin at the ETH (Swiss Federal Institute of Technology) for > several months now and I'm extremely interested in introducing a vpn into > our department. > I'm using the tool gShield which can be found at: > http://muse.linuxmafia.org/gshield.html > It utilizes iptables on the linux box I'm running. Within our subnet we > use an NFS server which not only contains our user's homes, but > also all our software. Behind our firewall/gateway we have a private range > class C subnet, which contains users who amongst other things use the NFS > server. > My problem: > The users should have r+w perms on their own directories only, and r only > on the software dir. Instead of setting multiple permissions on the NFS > server, which is basically impossible, I need a way of setting permissions > on my vpn gateway. With your experience, is there a tool or method you > know of which enables this ? A blunt question, I know, however I'd much > appreciate your help. > > Whatever help you can offer is much appreciated. > > greetings > AlanCB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE70Ijbt/sRD4MkngARAlGFAKCUH+44iwU8V/A3D9X+3L7u1+Cr4ACeOsV8 > kVyQSXFGS9Um9I+UZzJMx9U= > =BwQ0 > -----END PGP SIGNATURE----- > "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Mon Oct 22 17:00:10 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Mon, 22 Oct 2001 14:00:10 -0700 Subject: [vpn] Re: vpn nfs (fwd) In-Reply-To: Message-ID: <3BD4266A.23155.2F34F709@localhost> On 20 Oct 2001, at 11:42, AlanCB wrote: > My problem: > The users should have r+w perms on their own directories only, and > r only on the software dir. Instead of setting multiple permissions > on the NFS server, which is basically impossible, I need a way of > setting permissions on my vpn gateway. With your experience, is > there a tool or method you know of which enables this ? A blunt > question, I know, however I'd much appreciate your help. It may just be that there are subtleties of NFS that I'm not aware of, but generally VPN implementations tend to look like bridges or routers (layer 2 or layer 3 services) overlayed on top of some other network/transport implementation (usually layer 3/4, occasionally perhaps higher if only a higher-level interface to the network is available). Now there are arguments to be made as to whether directories and perms are implemented at the presentation (6) or application (7) layer, but in either case they fall well outside the scope that any VPN i'm familiar with addresses. It sounds to me like what you want is a proxy (layer 6/7) that implements and enforces the perms that are "basically impossible" on your NFS server, and some mechanism to force even local clients to go through that proxy to get to NFS mounts. There may be ways to use VPN products to force the routing you want, but I don't know of anything that addresses the perms/proxy issues -- and if such a product exists, I don't think it's likely to be labelled as anything to do with VPNs. I realize that this answer is not all that helpful, except possibly in clarifying either what you need -- or how I've failed to understand what you need. (I've seen no other answers, so others may be similarly confused.) Dave Gillett VPN is sponsored by SecurityFocus.com From bugtraq at seifried.org Mon Oct 22 17:31:36 2001 From: bugtraq at seifried.org (Kurt Seifried) Date: Mon, 22 Oct 2001 15:31:36 -0600 Subject: [vpn] Re: vpn nfs (fwd) References: <3BD4266A.23155.2F34F709@localhost> Message-ID: <014f01c15b40$eee4ef60$6400030a@seifried.org> > > My problem: > > The users should have r+w perms on their own directories only, and > > r only on the software dir. Instead of setting multiple permissions > > on the NFS server, which is basically impossible, I need a way of > > setting permissions on my vpn gateway. With your experience, is > > there a tool or method you know of which enables this ? A blunt > > question, I know, however I'd much appreciate your help. What makes them less impossible to implement on the gateway? Let's assume for a minute that an NFS proxy exists that will let you enforce permissions. Several problems come to mind: 1) anyone circumventing the VPN (i.e. coming from inside) will be able to run wild through the NFS server. oops. 2) obsfuscation attacks, encoding of data, using things like cd "/././././././../foo/bar/../etc/" etc etc. HTTP is hard enough to monitor and I don't imagine NFS is any easier 3) encryption of nfs services/login. awwww crap. 4) integrating authentication systems/etc. Perhaps you should consider a different file sharing protocol/system then NFS if permissions are that much of an issue. CODA/AFS/SMB/Novell/etc come to mind. To draw a parallel: Every Microsoft person I know says you should set your directory share permissions to everyone:full control and use NTFS permissions to enforce access. Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ VPN is sponsored by SecurityFocus.com From bugtraq at seifried.org Mon Oct 22 18:26:55 2001 From: bugtraq at seifried.org (Kurt Seifried) Date: Mon, 22 Oct 2001 16:26:55 -0600 Subject: [vpn] Re: vpn nfs (fwd) References: Message-ID: <001501c15b48$a8367a40$6400030a@seifried.org> > Thankyou for your response(s) > let me clarify the situation: > > In our network we have several hundred unix boxes all connected to our nfs > server. These boxes are ours of course, only the sysadmins are root. No > box is behind a firewall or in a vpn, all have a publicly assigned ip. > Being a university, we have assistants, professors and doctorates who > bring in their own laptops and need a net connection. Now I'm sure you > know the dangers there are when someone has root on a box and can connect > to our nfs server...enough said there. The further dangers of having root > on our network which doesnt belong to us dont even need to be mentioned. Uhmm no. Using root_squash I'm not really aware of the danger of root connecting to your NFS server. As for users choosing arbitrary names, well they can also choose arbitrary IP's assuming your infrastructure isn't tightly locked down (which fromt he sounds of it it isn't). You may want to purchase the O'Reilly NIS/NFS book, it's quite good. Have you considered using the more advanced authentication available in NFS rather then the IP/user? Or to put it bluntly, if you are worried about security why are you using NFS? > Is this somehow possible or is there a more simple method for people with > their own notebooks in our network ? Yup. See above. > greets > AlanCB Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ VPN is sponsored by SecurityFocus.com From rage at dial.eunet.ch Mon Oct 22 18:11:45 2001 From: rage at dial.eunet.ch (AlanCB) Date: Tue, 23 Oct 2001 00:11:45 +0200 (CEST) Subject: [vpn] Re: vpn nfs (fwd) In-Reply-To: <014f01c15b40$eee4ef60$6400030a@seifried.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thankyou for your response(s) let me clarify the situation: In our network we have several hundred unix boxes all connected to our nfs server. These boxes are ours of course, only the sysadmins are root. No box is behind a firewall or in a vpn, all have a publicly assigned ip. Being a university, we have assistants, professors and doctorates who bring in their own laptops and need a net connection. Now I'm sure you know the dangers there are when someone has root on a box and can connect to our nfs server...enough said there. The further dangers of having root on our network which doesnt belong to us dont even need to be mentioned. Hence my idea of a vpn, with say a network like 192.168.1/24 They can do what they want there with root, however they should still be allowed to connect to the nfs/internet. Here's where my problem lies - I can't set two different types of perms on our nfs server for the same user. When he's using one of our boxes again and his notebook is at home, he needs his user dir and software on the nfs. So here's my (confusing) situation: user with notebook, ip: 192.168.1.20 goes over vpn gateway 192.168.1.1 which has a second interface (12.34.56.78) to our nfs. The nfs allows 12.34.56.78 to do anything any other normal box can. The vpn gateway should be able to decide that user from 192.168.1.20 only has r+w perms to his user dir on the nfs and r perms to our software directory on the nfs. Is this somehow possible or is there a more simple method for people with their own notebooks in our network ? a Virtual Private Network to me is one which (in our case) has privately assigned ip's and has a gateway which masquerades and is a firewall. Gshield (with some work of my own) easily does this. The only problem(s) I have are outlined above. Thankyou for you swift replies from today and I look forward to any response ! greets AlanCB On Mon, 22 Oct 2001, Kurt Seifried wrote: > > > My problem: > > > The users should have r+w perms on their own directories only, and > > > r only on the software dir. Instead of setting multiple permissions > > > on the NFS server, which is basically impossible, I need a way of > > > setting permissions on my vpn gateway. With your experience, is > > > there a tool or method you know of which enables this ? A blunt > > > question, I know, however I'd much appreciate your help. > > What makes them less impossible to implement on the gateway? Let's assume > for a minute that an NFS proxy exists that will let you enforce permissions. > Several problems come to mind: > > 1) anyone circumventing the VPN (i.e. coming from inside) will be able to > run wild through the NFS server. oops. > 2) obsfuscation attacks, encoding of data, using things like cd > "/././././././../foo/bar/../etc/" etc etc. HTTP is hard enough to monitor > and I don't imagine NFS is any easier > 3) encryption of nfs services/login. awwww crap. > 4) integrating authentication systems/etc. > > Perhaps you should consider a different file sharing protocol/system then > NFS if permissions are that much of an issue. CODA/AFS/SMB/Novell/etc come > to mind. > > To draw a parallel: Every Microsoft person I know says you should set your > directory share permissions to everyone:full control and use NTFS > permissions to enforce access. > > > Kurt Seifried, kurt at seifried.org > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://www.seifried.org/security/ > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE71Jmmt/sRD4MkngARAt7oAJ9lEjEk2j+uTJOeCHPSxjS5u+3ybwCfY7Bm aeg/qa3qx2d2DGy382D9jqA= =p4Tb -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Mon Oct 22 21:11:57 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Mon, 22 Oct 2001 18:11:57 -0700 Subject: [vpn] Re: vpn nfs (fwd) In-Reply-To: References: <014f01c15b40$eee4ef60$6400030a@seifried.org> Message-ID: <3BD4616D.25767.301B7BBB@localhost> Thank you for the clarification, which helps considerably. It appears to me that your internal machines share security/account info (NIS?), so that any internal machine can mount volumes from the NFS server and will locally enforce the access permissions for each user account. But because remote users are typically root on their remote machines, they will have all access to any mounted NFS volumes, as if they were root on an internal machine. Okay so far? I would be surprised and disappointed if there is not some way to configure your NFS server such that it will only allow remote machines to mount data subject to local enforcement of the shared account structure. However, in the absense of knowledge of such a provision, the other possibility that springs to mind is to secure your network so that remote machines are not allowed to mount NFS shares directly. Force remote users to connect to an internal server (perhaps using SSH?[*]), such as the one they would use if they were on-site, which does enforce the network security account structure, and which in turn serves as the NFS client. [*] Note that SSH alone provides a shell connection, and this is not usually considered a VPN unless you run something like PPP over that to provide a transport layer. David Gillett On 23 Oct 2001, at 0:11, AlanCB wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thankyou for your response(s) let me clarify the situation: In our network we have several hundred unix boxes all connected to our nfs server. These boxes are ours of course, only the sysadmins are root. No box is behind a firewall or in a vpn, all have a publicly assigned ip. Being a university, we have assistants, professors and doctorates who bring in their own laptops and need a net connection. Now I'm sure you know the dangers there are when someone has root on a box and can connect to our nfs server...enough said there. The further dangers of having root on our network which doesnt belong to us dont even need to be mentioned. Hence my idea of a vpn, with say a network like 192.168.1/24 They can do what they want there with root, however they should still be allowed to connect to the nfs/internet. Here's where my problem lies - I can't set two different types of perms on our nfs server for the same user. When he's using one of our boxes again and his notebook is at home, he needs his user dir and software on the nfs. So here's my (confusing) situation: user with notebook, ip: 192.168.1.20 goes over vpn gateway 192.168.1.1 which has a second interface (12.34.56.78) to our nfs. The nfs allows 12.34.56.78 to do anything any other normal box can. The vpn gateway should be able to decide that user from 192.168.1.20 only has r+w perms to his user dir on the nfs and r perms to our software directory on the nfs. Is this somehow possible or is there a more simple method for people with their own notebooks in our network ? a Virtual Private Network to me is one which (in our case) has privately assigned ip's and has a gateway which masquerades and is a firewall. Gshield (with some work of my own) easily does this. The only problem(s) I have are outlined above. Thankyou for you swift replies from today and I look forward to any response ! greets AlanCB On Mon, 22 Oct 2001, Kurt Seifried wrote: > > > My problem: > > > The users should have r+w perms on their own directories only, and > > > r only on the software dir. Instead of setting multiple permissions > > > on the NFS server, which is basically impossible, I need a way of > > > setting permissions on my vpn gateway. With your experience, is > > > there a tool or method you know of which enables this ? A blunt > > > question, I know, however I'd much appreciate your help. > > What makes them less impossible to implement on the gateway? Let's assume > for a minute that an NFS proxy exists that will let you enforce permissions. > Several problems come to mind: > > 1) anyone circumventing the VPN (i.e. coming from inside) will be able to > run wild through the NFS server. oops. > 2) obsfuscation attacks, encoding of data, using things like cd > "/././././././../foo/bar/../etc/" etc etc. HTTP is hard enough to monitor > and I don't imagine NFS is any easier > 3) encryption of nfs services/login. awwww crap. > 4) integrating authentication systems/etc. > > Perhaps you should consider a different file sharing protocol/system then > NFS if permissions are that much of an issue. CODA/AFS/SMB/Novell/etc come > to mind. > > To draw a parallel: Every Microsoft person I know says you should set your > directory share permissions to everyone:full control and use NTFS > permissions to enforce access. > > > Kurt Seifried, kurt at seifried.org > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://www.seifried.org/security/ > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE71Jmmt/sRD4MkngARAt7oAJ9lEjEk2j+uTJOeCHPSxjS5u+3ybwCfY7Bm aeg/qa3qx2d2DGy382D9jqA= =p4Tb -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From rage at dial.eunet.ch Mon Oct 22 18:45:24 2001 From: rage at dial.eunet.ch (AlanCB) Date: Tue, 23 Oct 2001 00:45:24 +0200 (CEST) Subject: [vpn] Re: vpn nfs (fwd) In-Reply-To: <001501c15b48$a8367a40$6400030a@seifried.org> Message-ID: Other than username/password and/or ipaddress, what other more advanced authentication method could (should) I consider with NFS ? greets AlanCB On Mon, 22 Oct 2001, Kurt Seifried wrote: > > Thankyou for your response(s) > > let me clarify the situation: > > > > In our network we have several hundred unix boxes all connected to our nfs > > server. These boxes are ours of course, only the sysadmins are root. No > > box is behind a firewall or in a vpn, all have a publicly assigned ip. > > Being a university, we have assistants, professors and doctorates who > > bring in their own laptops and need a net connection. Now I'm sure you > > know the dangers there are when someone has root on a box and can connect > > to our nfs server...enough said there. The further dangers of having root > > on our network which doesnt belong to us dont even need to be mentioned. > > Uhmm no. Using root_squash I'm not really aware of the danger of root > connecting to your NFS server. As for users choosing arbitrary names, well > they can also choose arbitrary IP's assuming your infrastructure isn't > tightly locked down (which fromt he sounds of it it isn't). You may want to > purchase the O'Reilly NIS/NFS book, it's quite good. Have you considered > using the more advanced authentication available in NFS rather then the > IP/user? > > Or to put it bluntly, if you are worried about security why are you using > NFS? > > > Is this somehow possible or is there a more simple method for people with > > their own notebooks in our network ? > > Yup. See above. > > > greets > > AlanCB > > Kurt Seifried, kurt at seifried.org > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://www.seifried.org/security/ > > > VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Tue Oct 23 14:18:16 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Tue, 23 Oct 2001 11:18:16 -0700 Subject: [vpn] VPN W2K WORKSTATION TO SERVER Message-ID: Hello: Could I get some assistance please? Can anyone give me some step by step instructions of how to establish a VPN from a Windows 2000 Workstation to a Windows 2000 server each located in a different city? Both computers have 24/7 fast internet connections. The Windows 2000 server is fully configured and allready in production. W2K Workstation has yet toi be installed. Can someone please assist a newbie with step by step instructions of how to proceed? I need to get this VPN up and functional on Thursday. I am up against a deadline. So any help you can give me will be most appreciated. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Tue Oct 23 16:34:23 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Tue, 23 Oct 2001 13:34:23 -0700 Subject: [vpn] VPN W2K WORKSTATION TO SERVER Message-ID: Hello Simer: Thank you for the information. I really appreciate it. Could you or someone else on the list give me a step by step how to? I need a no frills VPN up and functional by Thursday afternoon. The server the tunnell will be connecting to is fully configured allready. This will be the third tunnel going into the server in question. And unfortunately I am on my own on this one. Any and all assistance is appreciated. Thank you, Greg W. Gordon Systems Administrator -----Original Message----- From: Mayo, Simer [mailto:Mayo at ctgi.com] Sent: Tuesday, October 23, 2001 1:18 PM To: Greg W. Gordon Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Greg, You can get good info on the following link. If you need more help please let me know. http://www.microsoft.com/windows2000/techinfo/howitworks/communications/ remo teaccess/vpnoverview.asp Good Luck Simer Mayo IT Manager Cottonwood Technology Group Inc. 1505 N. Hayden, Suite J5 Scottsdale, AZ 85257 Phone: 480-970-3332 (x-174) Fax: 480-970-3322 -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 11:18 AM To: vpn at securityfocus.com Subject: [vpn] VPN W2K WORKSTATION TO SERVER Hello: Could I get some assistance please? Can anyone give me some step by step instructions of how to establish a VPN from a Windows 2000 Workstation to a Windows 2000 server each located in a different city? Both computers have 24/7 fast internet connections. The Windows 2000 server is fully configured and allready in production. W2K Workstation has yet toi be installed. Can someone please assist a newbie with step by step instructions of how to proceed? I need to get this VPN up and functional on Thursday. I am up against a deadline. So any help you can give me will be most appreciated. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From jmorris at graycary.com Tue Oct 23 17:15:22 2001 From: jmorris at graycary.com (Morris, Jason) Date: Tue, 23 Oct 2001 14:15:22 -0700 Subject: [vpn] VPN W2K WORKSTATION TO SERVER Message-ID: <27908515C23BF34791523AA6210DF40804CC2264@sanmail1.sd.internal> Greg, If you need it done for you then consider hiring a consultant. The advice you will get from a list is intended for those who have already put forth some (any?) effort. When you have tried and are stumped please feel free to write back with specific questions - and be prepared to provide details on what did and didn't work. Jason Morris, Security Analyst GRAYCARY. Voice: 619.699.3574 Mobile: -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 1:34 PM To: Mayo, Simer Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Hello Simer: Thank you for the information. I really appreciate it. Could you or someone else on the list give me a step by step how to? I need a no frills VPN up and functional by Thursday afternoon. The server the tunnell will be connecting to is fully configured allready. This will be the third tunnel going into the server in question. And unfortunately I am on my own on this one. Any and all assistance is appreciated. Thank you, Greg W. Gordon Systems Administrator -----Original Message----- From: Mayo, Simer [mailto:Mayo at ctgi.com] Sent: Tuesday, October 23, 2001 1:18 PM To: Greg W. Gordon Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Greg, You can get good info on the following link. If you need more help please let me know. http://www.microsoft.com/windows2000/techinfo/howitworks/communications/ remo teaccess/vpnoverview.asp Good Luck Simer Mayo IT Manager Cottonwood Technology Group Inc. 1505 N. Hayden, Suite J5 Scottsdale, AZ 85257 Phone: 480-970-3332 (x-174) Fax: 480-970-3322 -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 11:18 AM To: vpn at securityfocus.com Subject: [vpn] VPN W2K WORKSTATION TO SERVER Hello: Could I get some assistance please? Can anyone give me some step by step instructions of how to establish a VPN from a Windows 2000 Workstation to a Windows 2000 server each located in a different city? Both computers have 24/7 fast internet connections. The Windows 2000 server is fully configured and allready in production. W2K Workstation has yet toi be installed. Can someone please assist a newbie with step by step instructions of how to proceed? I need to get this VPN up and functional on Thursday. I am up against a deadline. So any help you can give me will be most appreciated. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com ----------------------------------------------------------------------------- [INFO] -- Content Manager: NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. To contact our email administrator directly, send to postmaster at graycary.com Thank you. ----------------------------------------------------------------------------- VPN is sponsored by SecurityFocus.com From sysadmin at rckc.org Tue Oct 23 17:20:19 2001 From: sysadmin at rckc.org (Greg W. Gordon) Date: Tue, 23 Oct 2001 14:20:19 -0700 Subject: [vpn] VPN W2K WORKSTATION TO SERVER Message-ID: Dear Jason: I understand you point of view. I am trying to garner as much information as I possibly can as I must be on the client site on Thursday. I have percisely one day to complete this task including the installation of W2k professional. If I have to write in when I encounter a problem because of my limited time then there is going to be a problem. I appreciate your patience. Greg W. Gordon -----Original Message----- From: Morris, Jason [mailto:jmorris at graycary.com] Sent: Tuesday, October 23, 2001 2:15 PM To: Greg W. Gordon Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Greg, If you need it done for you then consider hiring a consultant. The advice you will get from a list is intended for those who have already put forth some (any?) effort. When you have tried and are stumped please feel free to write back with specific questions - and be prepared to provide details on what did and didn't work. Jason Morris, Security Analyst GRAYCARY. Voice: 619.699.3574 Mobile: -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 1:34 PM To: Mayo, Simer Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Hello Simer: Thank you for the information. I really appreciate it. Could you or someone else on the list give me a step by step how to? I need a no frills VPN up and functional by Thursday afternoon. The server the tunnell will be connecting to is fully configured allready. This will be the third tunnel going into the server in question. And unfortunately I am on my own on this one. Any and all assistance is appreciated. Thank you, Greg W. Gordon Systems Administrator -----Original Message----- From: Mayo, Simer [mailto:Mayo at ctgi.com] Sent: Tuesday, October 23, 2001 1:18 PM To: Greg W. Gordon Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Greg, You can get good info on the following link. If you need more help please let me know. http://www.microsoft.com/windows2000/techinfo/howitworks/communications/ remo teaccess/vpnoverview.asp Good Luck Simer Mayo IT Manager Cottonwood Technology Group Inc. 1505 N. Hayden, Suite J5 Scottsdale, AZ 85257 Phone: 480-970-3332 (x-174) Fax: 480-970-3322 -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 11:18 AM To: vpn at securityfocus.com Subject: [vpn] VPN W2K WORKSTATION TO SERVER Hello: Could I get some assistance please? Can anyone give me some step by step instructions of how to establish a VPN from a Windows 2000 Workstation to a Windows 2000 server each located in a different city? Both computers have 24/7 fast internet connections. The Windows 2000 server is fully configured and allready in production. W2K Workstation has yet toi be installed. Can someone please assist a newbie with step by step instructions of how to proceed? I need to get this VPN up and functional on Thursday. I am up against a deadline. So any help you can give me will be most appreciated. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com ------------------------------------------------------------------------ ----- [INFO] -- Content Manager: NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. To contact our email administrator directly, send to postmaster at graycary.com Thank you. ------------------------------------------------------------------------ ----- VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Oct 23 18:07:54 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 23 Oct 2001 15:07:54 -0700 Subject: [vpn] VPN W2K WORKSTATION TO SERVER Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D46B3@guam.corp.axcelerant.com> Sounds like you sold a customer something you can't do. Nice. -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 2:20 PM To: Morris, Jason Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Dear Jason: I understand you point of view. I am trying to garner as much information as I possibly can as I must be on the client site on Thursday. I have percisely one day to complete this task including the installation of W2k professional. If I have to write in when I encounter a problem because of my limited time then there is going to be a problem. I appreciate your patience. Greg W. Gordon -----Original Message----- From: Morris, Jason [mailto:jmorris at graycary.com] Sent: Tuesday, October 23, 2001 2:15 PM To: Greg W. Gordon Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Greg, If you need it done for you then consider hiring a consultant. The advice you will get from a list is intended for those who have already put forth some (any?) effort. When you have tried and are stumped please feel free to write back with specific questions - and be prepared to provide details on what did and didn't work. Jason Morris, Security Analyst GRAYCARY. Voice: 619.699.3574 Mobile: -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 1:34 PM To: Mayo, Simer Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Hello Simer: Thank you for the information. I really appreciate it. Could you or someone else on the list give me a step by step how to? I need a no frills VPN up and functional by Thursday afternoon. The server the tunnell will be connecting to is fully configured allready. This will be the third tunnel going into the server in question. And unfortunately I am on my own on this one. Any and all assistance is appreciated. Thank you, Greg W. Gordon Systems Administrator -----Original Message----- From: Mayo, Simer [mailto:Mayo at ctgi.com] Sent: Tuesday, October 23, 2001 1:18 PM To: Greg W. Gordon Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER Greg, You can get good info on the following link. If you need more help please let me know. http://www.microsoft.com/windows2000/techinfo/howitworks/communications/ remo teaccess/vpnoverview.asp Good Luck Simer Mayo IT Manager Cottonwood Technology Group Inc. 1505 N. Hayden, Suite J5 Scottsdale, AZ 85257 Phone: 480-970-3332 (x-174) Fax: 480-970-3322 -----Original Message----- From: Greg W. Gordon [mailto:sysadmin at rckc.org] Sent: Tuesday, October 23, 2001 11:18 AM To: vpn at securityfocus.com Subject: [vpn] VPN W2K WORKSTATION TO SERVER Hello: Could I get some assistance please? Can anyone give me some step by step instructions of how to establish a VPN from a Windows 2000 Workstation to a Windows 2000 server each located in a different city? Both computers have 24/7 fast internet connections. The Windows 2000 server is fully configured and allready in production. W2K Workstation has yet toi be installed. Can someone please assist a newbie with step by step instructions of how to proceed? I need to get this VPN up and functional on Thursday. I am up against a deadline. So any help you can give me will be most appreciated. Greg W. Gordon Systems Administrator Recovery Centers of King County VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com ------------------------------------------------------------------------ ----- [INFO] -- Content Manager: NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. To contact our email administrator directly, send to postmaster at graycary.com Thank you. ------------------------------------------------------------------------ ----- VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From MKelley at m-v-t.com Tue Oct 23 23:28:30 2001 From: MKelley at m-v-t.com (Michael Kelley) Date: Tue, 23 Oct 2001 21:28:30 -0600 Subject: [vpn] Cisco 3000 VPN and W2K Pro Message-ID: <004101c15c3b$f70d14a0$9865fea9@wen6t5tdr5dyil> Has anyone gotten these two to play nice? I tried installing on a W2K machine but it wouldn't even begion the install .... I've tried to find the download from cisco .. but have only goten lost in the endless links of non-understanding ... We have recently set up the Cisco AVVID system at my work and the server side is up and running ... the little bit of documentation I got (the readme files on the CD) didn't seem to support the idea that Cisco VPN 3000 could run under W2K .... I'm heading to the archives to see if I find anything but if you know (or have solved) ... help would be appreciated .... Mike VPN is sponsored by SecurityFocus.com From fwfd52 at yahoo.com Wed Oct 24 11:18:21 2001 From: fwfd52 at yahoo.com (Clint Redelfs) Date: Wed, 24 Oct 2001 08:18:21 -0700 (PDT) Subject: [vpn] VPN Research Paper Message-ID: <20011024151821.95492.qmail@web21002.mail.yahoo.com> I am doing a research paper for my college networking class and was hoping you could send me some information and/or diagrams about VPNs and how they work. Thank you very much!!! Clint Redelfs __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Oct 24 14:19:17 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 24 Oct 2001 11:19:17 -0700 Subject: [vpn] Cisco 3000 VPN and W2K Pro Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D46C5@guam.corp.axcelerant.com> Which version of the client software are you running? I know the "unity client" is supposed to support w2k. -----Original Message----- From: Michael Kelley [mailto:MKelley at m-v-t.com] Sent: Tuesday, October 23, 2001 8:29 PM To: vpn at securityfocus.com Subject: [vpn] Cisco 3000 VPN and W2K Pro Has anyone gotten these two to play nice? I tried installing on a W2K machine but it wouldn't even begion the install .... I've tried to find the download from cisco .. but have only goten lost in the endless links of non-understanding ... We have recently set up the Cisco AVVID system at my work and the server side is up and running ... the little bit of documentation I got (the readme files on the CD) didn't seem to support the idea that Cisco VPN 3000 could run under W2K .... I'm heading to the archives to see if I find anything but if you know (or have solved) ... help would be appreciated .... Mike VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From sandy at storm.ca Wed Oct 24 14:39:33 2001 From: sandy at storm.ca (Sandy Harris) Date: Wed, 24 Oct 2001 14:39:33 -0400 Subject: [vpn] VPN Research Paper References: <20011024151821.95492.qmail@web21002.mail.yahoo.com> Message-ID: <3BD70AE5.E556C1FF@storm.ca> Clint Redelfs wrote: > > I am doing a research paper for my college networking > class and was hoping you could send me some > information and/or diagrams about VPNs and how they > work. Have a look at some of the Open Source VPN software. The Linux FreeS/WAN implementation of IPsec has all its docs online at www.freeswan.org. I'm a tad biased, since I wrote them, but I think they should have most of what you need, and I hope they're understanable :-). See openbsd.org, freebsd.org, netbsd.org and kame.net for other Open Source IPsec. PoPToP is an Open Source PPTP client. vpnc.org (VPN Consortiun) has a lot of info as well. VPN is sponsored by SecurityFocus.com From paul at moquijo.com Wed Oct 24 13:58:22 2001 From: paul at moquijo.com (Paul Cardon) Date: Wed, 24 Oct 2001 13:58:22 -0400 Subject: [vpn] Cisco 3000 VPN and W2K Pro References: <004101c15c3b$f70d14a0$9865fea9@wen6t5tdr5dyil> Message-ID: <3BD7013E.9E26918A@moquijo.com> Michael Kelley wrote: > > Has anyone gotten these two to play nice? I tried installing on a W2K > machine but it wouldn't even begion the install .... I've tried to find the > download from cisco .. but have only goten lost in the endless links of > non-understanding ... We have recently set up the Cisco AVVID system at my > work and the server side is up and running ... the little bit of > documentation I got (the readme files on the CD) didn't seem to support the > idea that Cisco VPN 3000 could run under W2K .... I'm heading to the > archives to see if I find anything but if you know (or have solved) ... help > would be appreciated .... Using your Cisco CCO login go to: http://www.cisco.com/kobayashi/sw-center/sw-vpn.shtml and select Cisco VPN Client which will take you to the download procedure. There is a client that supports W2K. -paul VPN is sponsored by SecurityFocus.com From MikeK at M-V-T.COM Wed Oct 24 15:46:51 2001 From: MikeK at M-V-T.COM (Mike Kelley) Date: Wed, 24 Oct 2001 13:46:51 -0600 Subject: [vpn] Cisco 3000 VPN and W2K Pro Message-ID: I keep hearing that we are using UNITY, the CD is a burned copy ... and from there all I know is that it's Cisco's VPN 3000 client -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: Wednesday, October 24, 2001 12:19 PM To: Michael Kelley; vpn at securityfocus.com Subject: RE: [vpn] Cisco 3000 VPN and W2K Pro Which version of the client software are you running? I know the "unity client" is supposed to support w2k. -----Original Message----- From: Michael Kelley [mailto:MKelley at m-v-t.com] Sent: Tuesday, October 23, 2001 8:29 PM To: vpn at securityfocus.com Subject: [vpn] Cisco 3000 VPN and W2K Pro Has anyone gotten these two to play nice? I tried installing on a W2K machine but it wouldn't even begion the install .... I've tried to find the download from cisco .. but have only goten lost in the endless links of non-understanding ... We have recently set up the Cisco AVVID system at my work and the server side is up and running ... the little bit of documentation I got (the readme files on the CD) didn't seem to support the idea that Cisco VPN 3000 could run under W2K .... I'm heading to the archives to see if I find anything but if you know (or have solved) ... help would be appreciated .... Mike VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Dave_Rypma at manulife.com Wed Oct 24 16:11:18 2001 From: Dave_Rypma at manulife.com (Dave_Rypma at manulife.com) Date: Wed, 24 Oct 2001 16:11:18 -0400 Subject: [vpn] Cisco 3000 VPN and W2K Pro Message-ID: I've been using the Cisco VPN 3000 client on Win2K Pro for quite some time. It's version 3.0.1 Rel K-9. Dave . . To: "Michael cc: (bcc: Dave Rypma/Canadian Division/Manulife) Kelley" Subject: [vpn] Cisco 3000 VPN and W2K Pro 2001-10-23 23:28 Has anyone gotten these two to play nice? I tried installing on a W2K machine but it wouldn't even begion the install .... I've tried to find the download from cisco .. but have only goten lost in the endless links of non-understanding ... We have recently set up the Cisco AVVID system at my work and the server side is up and running ... the little bit of documentation I got (the readme files on the CD) didn't seem to support the idea that Cisco VPN 3000 could run under W2K .... I'm heading to the archives to see if I find anything but if you know (or have solved) ... help would be appreciated .... Mike VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From alberto.cardona at cnacm.com Wed Oct 24 16:06:26 2001 From: alberto.cardona at cnacm.com (Cardona, Alberto) Date: Wed, 24 Oct 2001 16:06:26 -0400 Subject: [vpn] VPN tunnel termination???? Message-ID: <2722EAE39027D5118EF00002A52C1270D1327D@AMWNJX1> Does any anyone know what are the security ramifications if you terminate a VPN tunnel to a router instead of a firewall/router. For example is it safer to do a Check Point/Nokia to Check Point/Nokia or PIX to PIX VPN tunnel OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750). Thanks AC VPN is sponsored by SecurityFocus.com From fli at pyr.com Wed Oct 24 16:36:51 2001 From: fli at pyr.com (Fei Li) Date: Wed, 24 Oct 2001 16:36:51 -0400 Subject: [vpn] Questions on VPN service Message-ID: I'm looking for information about how to select VPN service. My research project involves the general selecting criteria for large enterprises (multinational), Small and Medium Sized enterprises. What are the major concerns for selecting VPN and integrating to existing IT network infrastructures? If you have any idea or know any websites where I can look for info., please let me know. Appreciate your input! Fei Li VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Oct 24 17:33:58 2001 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 24 Oct 2001 14:33:58 -0700 Subject: [vpn] VPN tunnel termination???? Message-ID: <4EBB5C35607E7F48B4AE162D956666EF016CEF@guam.corp.axcelerant.com> 1. Performance. Let firewalls be firewalls, routers be routers, and VPN devices be VPN devices. The caveat there is price and expediency of deployment. I.e. if you already own a Checkpoint firewall it won't be too difficult to start running a VPN to it. Reasons 2, 3, and 4 make this my least favorite option. 2. Layered security. This architecture goes out the door if you use the same firewall box for your VPN. In my world, VPN boxes have firewalling functionality on them but, are not my company's firewalls. Make sense? 3. Availability. I don't like having ALL my critical devices on one box. Having a single firewall to the internet that is also my VPN box is a viable solution for a small business where cost is critical and security is a residual effect. Not for a mission critical Enterprise. 4. Flexibility. (sometimes read as, extra administrative burden!) For an Enterprise class solution my preference, not that I get my way every time, is to have a border firewall with the VPN device behind that and another firewall behind the VPN. If the VPN device has a firewall on it then the border firewall isn't an absolute necessity but, it certainly adds to the difficulty in compromising the network. There are distinct advantages to having a firewall in front of AND behind the VPN. Having it in front of the VPN provides protection from attempts to compromise the VPN device itself from the outside(Internet) and protection from DoS attacks. I can limit the traffic to only IPSec related protocols and thus prevent attempts to telnet, SSH or whatever directly to the VPN device. Having one behind the VPN provides you with the ability to regulate the traffic coming from within the VPN network. I can't do any traffic filtering or protocol based authentication or filtering when the traffic is still encrypted. But, once I have decrypted it, I can run it through another firewall and then have those options. So, if I want to limit a particular group of users to a particular set of protocols or even systems when they are VPNing in then I can do that with the additional firewall. Hope that helps. Christopher Gripp Systems Engineer Axcelerant "To have a right to do a thing is not at all the same as to be right in doing it." -G.K. Chesterton -----Original Message----- From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com] Sent: Wednesday, October 24, 2001 1:06 PM To: vpn at securityfocus.com; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com' Subject: [vpn] VPN tunnel termination???? Does any anyone know what are the security ramifications if you terminate a VPN tunnel to a router instead of a firewall/router. For example is it safer to do a Check Point/Nokia to Check Point/Nokia or PIX to PIX VPN tunnel OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750). Thanks AC VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From alberto.cardona at cnacm.com Wed Oct 24 18:23:10 2001 From: alberto.cardona at cnacm.com (Cardona, Alberto) Date: Wed, 24 Oct 2001 18:23:10 -0400 Subject: [vpn] VPN tunnel termination???? Message-ID: <2722EAE39027D5118EF00002A52C1270D13283@AMWNJX1> I currently have 1 dedicated Firewall (FW-1/Nokia) used only for Internet Browsing and a another separate one only for site to site VPN. I have many sites running in a full blown VPN mesh. On my site to site I have a 2 tier level security. We have had no problems so far. 1 platform dedicated just for Routing (Internet Router) and the another platform dedicated for VPN (FW-1/Nokia). An attacker would have to exploit both platforms to compromise the internal network. Here comes my problem. We are currently think in replacing our current setup with a Cisco router based VPN. We want to implement a design that uses a Cisco 1750 using the Firewall add-on and Encryption accelerator card for our remote sites. Theses Cisco's 1750 will then hub into a Cisco 7000 VPN router running Cisco Firewall package and accelerator card. We will have to 2 hubs located in different states which are connected to each other via frame. The tunnels between the 1750 and 7000 router are going to be GRE based with IPSEC because of OSPF. 1 hub is going to be a Primary and the other a backup. By using GRE, OSPF should take care of the failover (I hope) Each router at each location (Hub and remote site) is going to be connected directly to the network. In other words, one connection to the LAN and the other to the Internet. My question is does this compromise my level of security? Since I am only using a 1 tier level design by using a Cisco router to be a VPN, Firewall and a router. Regards, AC -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: Wednesday, October 24, 2001 5:34 PM To: Cardona, Alberto; vpn at securityfocus.com; FW-1-MAILINGLIST at beethoven.us.checkpoint.com Subject: RE: [vpn] VPN tunnel termination???? 1. Performance. Let firewalls be firewalls, routers be routers, and VPN devices be VPN devices. The caveat there is price and expediency of deployment. I.e. if you already own a Checkpoint firewall it won't be too difficult to start running a VPN to it. Reasons 2, 3, and 4 make this my least favorite option. 2. Layered security. This architecture goes out the door if you use the same firewall box for your VPN. In my world, VPN boxes have firewalling functionality on them but, are not my company's firewalls. Make sense? 3. Availability. I don't like having ALL my critical devices on one box. Having a single firewall to the internet that is also my VPN box is a viable solution for a small business where cost is critical and security is a residual effect. Not for a mission critical Enterprise. 4. Flexibility. (sometimes read as, extra administrative burden!) For an Enterprise class solution my preference, not that I get my way every time, is to have a border firewall with the VPN device behind that and another firewall behind the VPN. If the VPN device has a firewall on it then the border firewall isn't an absolute necessity but, it certainly adds to the difficulty in compromising the network. There are distinct advantages to having a firewall in front of AND behind the VPN. Having it in front of the VPN provides protection from attempts to compromise the VPN device itself from the outside(Internet) and protection from DoS attacks. I can limit the traffic to only IPSec related protocols and thus prevent attempts to telnet, SSH or whatever directly to the VPN device. Having one behind the VPN provides you with the ability to regulate the traffic coming from within the VPN network. I can't do any traffic filtering or protocol based authentication or filtering when the traffic is still encrypted. But, once I have decrypted it, I can run it through another firewall and then have those options. So, if I want to limit a particular group of users to a particular set of protocols or even systems when they are VPNing in then I can do that with the additional firewall. Hope that helps. Christopher Gripp Systems Engineer Axcelerant "To have a right to do a thing is not at all the same as to be right in doing it." -G.K. Chesterton -----Original Message----- From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com] Sent: Wednesday, October 24, 2001 1:06 PM To: vpn at securityfocus.com; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com' Subject: [vpn] VPN tunnel termination???? Does any anyone know what are the security ramifications if you terminate a VPN tunnel to a router instead of a firewall/router. For example is it safer to do a Check Point/Nokia to Check Point/Nokia or PIX to PIX VPN tunnel OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750). Thanks AC VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Wed Oct 24 18:29:34 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Wed, 24 Oct 2001 15:29:34 -0700 Subject: [vpn] VPN tunnel termination???? In-Reply-To: <2722EAE39027D5118EF00002A52C1270D1327D@AMWNJX1> Message-ID: <3BD6DE5E.7180.39D385D7@localhost> On 24 Oct 2001, at 16:06, Cardona, Alberto wrote: > Does any anyone know what are the security ramifications if you > terminate a VPN tunnel to a router instead of a firewall/router. > > For example is it safer to do a Check Point/Nokia to Check > Point/Nokia or PIX to PIX VPN tunnel OR a router to router based > tunnel (ex. Cisco 3640 to Cisco 1750). > > Thanks > > AC Since the tunnel involves extending local network services to a remote site/client, I think it's wise to have that traffic traverse a packet logging/filtering point just outside the tunnel termination. That recommendation, though, could be used to support either answer to your question, depending on whether a given firewall implementation, in providing VPN tunnel termination, also filters that traffic. If you terminate the tunnel on a device in front of the firewall, you guarantee that the traffic can be filtered by the firewall, but you may also need to purchase an extra/larger router. On the other hand, firewalling, VPN termination, and NAT are all "security boundary" services, and it may be tricky to get these all right if they are spread across several devices. A single device that provides all three limits your flexibility, hopefully only to sensible arrangements that do what you need. David Gillett VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Wed Oct 24 18:29:33 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Wed, 24 Oct 2001 15:29:33 -0700 Subject: [vpn] Cisco 3000 VPN and W2K Pro In-Reply-To: <004101c15c3b$f70d14a0$9865fea9@wen6t5tdr5dyil> Message-ID: <3BD6DE5D.16364.39D3821E@localhost> On 23 Oct 2001, at 21:28, Michael Kelley wrote: > Has anyone gotten these two to play nice? I tried installing on a > W2K machine but it wouldn't even begion the install .... I've tried > to find the download from cisco .. but have only goten lost in the > endless links of non-understanding ... We have recently set up the > Cisco AVVID system at my work and the server side is up and running > ... the little bit of documentation I got (the readme files on the > CD) didn't seem to support the idea that Cisco VPN 3000 could run > under W2K .... I'm heading to the archives to see if I find > anything but if you know (or have solved) ... help would be > appreciated .... > > Mike I recall three generations of Win2K behaviour by Cisco 3000 clients: 1. Detect Win2K and refuse to install. (This appears to be what you have). 2. Detect Win2K; complete install only if user confirms disabling of Win2K IPSEC policy feature. (I don't believe this ever got out of beta, it was superceded by #3 below without ever being fully released.) 3. Native Win2K IPSEC support. Now, #3 was released somewhere around March/April, so if you've still got #1 you should get the update from CCO..... Dave Gillett VPN is sponsored by SecurityFocus.com From raymond.tan at atica.pm.gouv.fr Thu Oct 25 04:51:43 2001 From: raymond.tan at atica.pm.gouv.fr (TAN, Raymond) Date: Thu, 25 Oct 2001 10:51:43 +0200 Subject: [vpn] help!!! Message-ID: Hello, I'm acquainted with firewalls, routers, networking, Network address translation, PAT, etc....but really only from an academic point of view from readings here and there. I 've no practical experience at all in setting up and managing a network be it LAN or WAN. My real problem is therefore " seeing " how real equipements are placed. How they are physically connected. Why must there be two IP addreses for a firewall ? For a routeur also ? etc..etc....Most configurations I see in revues give a schematic representation but don't deal with such basic practical questions and it doesn't really help me at all. Also questions which often crop up like : 1. when I configure a router with network translation, what is actually " seen " by the outside world (internet) ? As the RFC private non routable addresses of the company are translated, is it just ONLY the firewall IP public address which is visible to the outside world ? What if internal servers are accessible to the outside world and dispose of public IP adresses ? Are these IP adresses seen as is ? ie with their own publicly affected IP addresses to the outside world when they get through the company firewall to communicate with another server on internet or is it the address of the firewall which is systematically substituded to theses adresses and therefore the only visible address seen by the outside world ? 2. A routeur is itself a sort of firewall for IP filtering right ?. But a PC connected to a routeur where a software operates some sort of application filtering is also a firewall right ? When I read articles on firewall, there aren't mention about what kind of firewall is used. Do I sound confuse ? 3. An ACL on a cisco router allows trafic based on IP source, destination, port, protocole addresses as well as trafic direction. What does it mean to say that trafic is allowed to circulate only from addresse source A to destination address B ? If A sends trafic to B, and B replies to A, trafic is necessarily a two way issue isn't it ? If the ACL says : only A--> B, then A will never ever get replies from B since only unidirectionnel flow is permitted. Do I sound silly with this question ? 4. And so many other questions in this vein : Sendmail, DNS, .....which is really fascinating and captivating. But I hope that someone can enlighten me on the first three questions. Sorry about asking these basic questions which probably shouldn't figure here. But I'm really at a lost as to where I can find clear practical answers to my questions because surfing on the net hasn't really help me find the right (non academic) answers. I find a number of sites but maybe I didn't open or check up the right ones. I don't know about lists or newsgroups where I can subscribe so as to get the " feel " of the whole thing. If anyone has got a tutorial, a short practical guide about all that's necessary to put up a LAN, WAN, VPN, etc...or knows about a site with good clear concrete examples and explanations, please can you give send me the url links ? I need to know as I'm new on this job and have no way of going through a course to help me understand the network issue from a very pragmatic point of view. Thanks a lot in advance for any help given. RT VPN is sponsored by SecurityFocus.com From stephen.hope at energis.com Thu Oct 25 07:04:44 2001 From: stephen.hope at energis.com (Stephen Hope) Date: Thu, 25 Oct 2001 12:04:44 +0100 Subject: [vpn] VPN W2K WORKSTATION TO SERVER Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458F06@email.datarange.co.uk> Greg, this sounds like a problem you should solve before you go. maybe you need to think about having a bench test setup - that way you can solve the chicken and egg problem you are describing, and you wont cause problems on the existing (live?) system. regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Greg W. Gordon [mailto:sysadmin at rckc.org] > Sent: 23 October 2001 22:20 > To: Morris, Jason > Cc: vpn at securityfocus.com > Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER > > > Dear Jason: > > I understand you point of view. I am trying to garner as much > information as I possibly can as I must be on the client site on > Thursday. I have percisely one day to complete this task including the > installation of W2k professional. If I have to write in when > I encounter > a problem because of my limited time then there is going to be a > problem. I appreciate your patience. > > Greg W. Gordon > > > -----Original Message----- > From: Morris, Jason [mailto:jmorris at graycary.com] > Sent: Tuesday, October 23, 2001 2:15 PM > To: Greg W. Gordon > Cc: vpn at securityfocus.com > Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER > > > Greg, > If you need it done for you then consider hiring a > consultant. The > advice you will get from a list is intended for those who have already > put > forth some (any?) effort. When you have tried and are stumped please > feel > free to write back with specific questions - and be prepared > to provide > details on what did and didn't work. > > Jason Morris, Security Analyst > GRAYCARY. > Voice: 619.699.3574 > Mobile: > > > -----Original Message----- > From: Greg W. Gordon [mailto:sysadmin at rckc.org] > Sent: Tuesday, October 23, 2001 1:34 PM > To: Mayo, Simer > Cc: vpn at securityfocus.com > Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER > > > Hello Simer: > > Thank you for the information. I really appreciate it. Could you or > someone else on the list give me a step by step how to? I need a no > frills > VPN up and functional by Thursday afternoon. The server the tunnell > will be > connecting to is fully configured allready. This will be the third > tunnel > going into the server in question. And unfortunately I am on > my own on > this > one. Any and all assistance is appreciated. > > Thank you, > > Greg W. Gordon > Systems Administrator > > > > -----Original Message----- > From: Mayo, Simer [mailto:Mayo at ctgi.com] > Sent: Tuesday, October 23, 2001 1:18 PM > To: Greg W. Gordon > Subject: RE: [vpn] VPN W2K WORKSTATION TO SERVER > > > Greg, > > You can get good info on the following link. If you need more help > please > let me know. > http://www.microsoft.com/windows2000/techinfo/howitworks/commu > nications/ > remo > teaccess/vpnoverview.asp > > Good Luck > > Simer Mayo > IT Manager > > Cottonwood Technology Group Inc. > 1505 N. Hayden, Suite J5 > Scottsdale, AZ 85257 > Phone: 480-970-3332 (x-174) > Fax: 480-970-3322 > > > -----Original Message----- > From: Greg W. Gordon [mailto:sysadmin at rckc.org] > Sent: Tuesday, October 23, 2001 11:18 AM > To: vpn at securityfocus.com > Subject: [vpn] VPN W2K WORKSTATION TO SERVER > > > Hello: > > Could I get some assistance please? Can anyone give me some step by > step > instructions of how to establish a VPN from a Windows 2000 Workstation > to a > Windows 2000 server each located in a different city? Both computers > have > 24/7 fast internet connections. The Windows 2000 server is fully > configured > and allready in production. W2K Workstation has yet toi be installed. > Can > someone please assist a newbie with step by step instructions > of how to > proceed? I need to get this VPN up and functional on > Thursday. I am up > against a deadline. So any help you can give me will be most > appreciated. > > Greg W. Gordon > Systems Administrator > Recovery Centers of King County > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > > > -------------------------------------------------------------- > ---------- > ----- > > [INFO] -- Content Manager: > > NOTICE: This email message is for the sole use of the intended > recipient(s) and may contain confidential and privileged information. > Any unauthorized review, use, disclosure or distribution is > prohibited. > If you are not the intended recipient, please contact the sender by > reply email and destroy all copies of the original message. > > To contact our email administrator directly, send to > postmaster at graycary.com > > Thank you. > > -------------------------------------------------------------- > ---------- > ----- > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From alberto.cardona at cnacm.com Thu Oct 25 11:54:43 2001 From: alberto.cardona at cnacm.com (Cardona, Alberto) Date: Thu, 25 Oct 2001 11:54:43 -0400 Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover Message-ID: <2722EAE39027D5118EF00002A52C1270D13289@AMWNJX1> What I want to do is for my friend's remote vpn sites (10) to fail over to his secondary VPN HUB. Here is his scenario. He just got acquired by another company. His current company relies on a Full blown IPsec VPN mesh with a backup ISDN. He is running Voice over IP thru his IPsec 3DES VPN. This new company relies on a LARGE Frame network that runs OSPF on Cisco's. They now want to implement a VPN running OSPF because they use OSPF. They installed a frame link from his location (New York) to there headquarters (Detroit). Now they want to implements a secondary location (Houston) which has a internet connection and a frame connection back into the headquarters (Detroit). They want this secondary location (Houston) to be a backup incase his location (New York) fails for his remote sites. Someone within this new company mentioned that his current Nokia/Check Point solution won't work with the failover design because IPsec can't handle multicast broadcast traffic (ex OSPF). They need to run OSPF for a failover design. Their solution is to REMOVE all of his Nokia/Check Point and implement a Cisco Router based VPN design. Cisco's 1750 for Remote sites and 7140 for each Hub. Each router both remote site and hub will have Cisco's firewall/IDS package and encryption module The Cisco's VPN tunnels are going to be using GRE encapsulation for the OSPF. Incase of a failover to the Secondary HUB and OSPF will update the Frame network regarding the failover. IPsec 3DES for the data encryption. This new design is not going to be a MESH but a Hub and Spoke. His problem with this HUB and SPOKE design is this. 1). He is afraid because this design relies on a 1 tier security design. The Cisco's routers will be handling the VPN, Routing Protocols, Firewall, and IDS on each router. His current design is 2 tier level. Cisco for the Internet router and Nokia/Check Point for VPN/Firewall 2). He thinks his Voice over IP will fail between remote sites because the MESH will be gone. 3). The performance an the Cisco. Would they be able to handle the load? Since they will be doing everything. (VPN, Routing, and IDS) Has anyone implemented this solution? AC -----Original Message----- From: Chris Arnold [mailto:chris.arnold at WheelHouse.com] Sent: Wednesday, October 24, 2001 10:12 PM To: 'Cardona, Alberto '; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com ' Subject: RE: [FW-1] VPN with OSPF That depends on what you mean by "running site to site IPsec VPNs and using OSPF." Do you mean tunneling OSPF through an IPSec tunnel for some reason or using OSPF to route traffic to available VPN endpoints before going through a tunnel or on your edge routers once your VPN traffic has been encapsulated? Chris -----Original Message----- From: Cardona, Alberto To: FW-1-MAILINGLIST at beethoven.us.checkpoint.com Sent: 10/24/01 4:16 PM Subject: [FW-1] VPN with OSPF Is anyone running site to site IPsec VPNs and using OSPF? If so did you have to implement GRE? Thanks AC =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== VPN is sponsored by SecurityFocus.com From alberto.cardona at cnacm.com Thu Oct 25 10:41:03 2001 From: alberto.cardona at cnacm.com (Cardona, Alberto) Date: Thu, 25 Oct 2001 10:41:03 -0400 Subject: [vpn] RE: VPN User List Post Message-ID: <2722EAE39027D5118EF00002A52C1270D13288@AMWNJX1> I have been running a fully site to site VPN mesh network since mid 1998. Locations running from Canada, Mexico, and US. If you need any info email me. AC -----Original Message----- From: Smith, Kristi [mailto:kristi_smith at mentorg.com] Sent: Wednesday, October 24, 2001 8:24 PM To: 'alberto.cardona at cnacm.com' Subject: VPN User List Post Hi, I saw your post on the VPN user list and I was curious as to why you are moving away from the Check Point/Nokia solution for your VPN mesh. We just started implementing a VPN mesh with our Check Point/Nokia boxes (we currently have 36 mesh tunnels up to 6 sites in the U.S. and Europe) and we are planning to do more. You're the first person/company that we've heard of that is actually doing a mesh. Most companies are doing hub and spoke or using VPN strictly for remote access. We would appreciate any information you would be willing to share. Best regards, Kristi Smith Network Engineer Mentor Graphics Corporation (503) 685-1971 kristi_smith at mentor.com VPN is sponsored by SecurityFocus.com From Keith.Pachulski at corp.ptd.net Thu Oct 25 08:14:15 2001 From: Keith.Pachulski at corp.ptd.net (Keith Pachulski) Date: Thu, 25 Oct 2001 08:14:15 -0400 Subject: [vpn] VPN authentication Message-ID: I`m not really sure if this is the right forum for this but it goes along the same lines as the the previous email. I`m trying to get tac_plus_v8 to use ms-chap in coordination with skey for authentication of pptp connections. I`m having to issues, the first being the documentation is lacking with the tac_plus package as well as the net. If anyone can lend some assistance in configuring tac_plus to make use of ms-chap and then mskey with ms-chap I would appreciate it. tac_plus_v8 skey1.1.5 if this is not the right forum please direct me to the correct one to address this question to =) -----Original Message----- From: Scott Armstrong [mailto:sailnit at speakeasy.net] Sent: Thursday, October 11, 2001 6:54 PM To: vpn at securityfocus.com Subject: RE: [vpn] VPN authentication >Is there any VPN product which supports three part authentication User >ID + Password + anything..(excluding secure ID, Digital ertificate, >Radius ) say one more password Not sure if it's exactly what you are looking for, but maybe something like this: http://www.passgo.com/products/defender/ or http://freshmeat.net/projects/skey/ which are one time password generation systems (user name plus a response which is generated from a combination of a user password and server challenge). Then you could look for stuff that integrates with S/Key or Defender. HTH, Scott VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From thierry_b at ifrance.com Thu Oct 25 01:09:27 2001 From: thierry_b at ifrance.com (Thierry Blanchard) Date: Wed, 24 Oct 2001 22:09:27 -0700 Subject: [vpn] VPN implementation Message-ID: <000b01c15d13$39827fa0$c806010a@thierry> I have a main site with a file server (running NT4 Server) behind a firewall and a remote site with Win98 clients behind a firewall and using NAT. I'd like to give access to the file server to the remote site and I'm investigating the different solutions and would like to know your advice. My ideas are: - Install VPN on both firewall to create a tunnel between the 2 sites. - Install VPN on the file server and VPN client on all Win98. Then they would have to launch the VPN connection each time they want to connect to the file server. - Can I install VPN on the file server and a VPN client on the firewall located on the remote site. (not a good idea to me). - I think I can't use IPsec because it's only Win98 clients. right ? - What about SSH ? Thanks for any idea you could have or any links you could point me to. Thierry. ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Oct 25 15:33:44 2001 From: sandy at storm.ca (Sandy Harris) Date: Thu, 25 Oct 2001 15:33:44 -0400 Subject: [vpn] help!!! References: Message-ID: <3BD86918.BDEE2760@storm.ca> "TAN, Raymond" wrote: > Why must there be two IP addreses for a firewall ? For a routeur also ? > etc..etc.... Sounds like you need a good basic book on TCP/IP. I like Doug Comer's stuff, but there are many others. IP addresses are assigned to interfaces, not to machines. A gateway ia a host two or more interfaces, and therefore with addresses on two or more networks. It can then move packets between those nets. Firewalls and routers are basically gateways with filtering. > Also questions which often crop up like : > 1. when I configure a router with network translation, what is actually > " seen " by the outside world (internet) ? As the RFC private non routable > addresses of the company are translated, is it just ONLY the firewall IP > public address which is visible to the outside world ? Yes, if things are working right, all non-routable adreesses get translated. > What if internal > servers are accessible to the outside world and dispose of public IP > adresses ? Are these IP adresses seen as is ? ie with their own publicly > affected IP addresses to the outside world when they get through the company > firewall to communicate with another server on internet or is it the address > of the firewall which is systematically substituded to theses adresses and > therefore the only visible address seen by the outside world ? You can set it up either way. > 2. A routeur is itself a sort of firewall for IP filtering right ?. Most routers can do packet filtering, so in that sense they are firewalls. Many firewalls do additional things, like application-level proxying or running inbtrusion detection software. Most routers are not capable of these. For details, try the Cheswick and Bellovin book. > But > a PC connected to a routeur where a software operates some sort of > application filtering is also a firewall right ? A PC can certainly do packet filtering and, with the right software, other firewall things. VPN is sponsored by SecurityFocus.com From webmaster at deltecsolutions.com Thu Oct 25 16:36:47 2001 From: webmaster at deltecsolutions.com (Tim Kowalsky - Network Admin / Internet Consultant) Date: Thu, 25 Oct 2001 15:36:47 -0500 Subject: [vpn] VPN Security? Message-ID: <009b01c15d94$c5feaef0$0a01a8c0@gotham.designby.com> Can anyone point me to a good resource on the relative security of the Windows 2000 implementation of PPTP? I realize that the earlier version (NT 4) had serious problems, but I've had difficulty tracking down any specifics on the later version which I know fixed some of the holes of the first implementation. VPN is sponsored by SecurityFocus.com From safiera at gss-inc.com Thu Oct 25 21:57:27 2001 From: safiera at gss-inc.com (Adam Safier) Date: Thu, 25 Oct 2001 21:57:27 -0400 Subject: [vpn] VPN tunnel termination???? In-Reply-To: <4EBB5C35607E7F48B4AE162D956666EF016CEF@guam.corp.axcelerant.com> Message-ID: In the ideal world you would have multiple layers and the VPN device would pass non-VPN traffic at wire speed. In the real world you don't have the budget and the VPN device is often dropped in a DMZ, creating routing issues for the return traffic. Often you end up using NAT on the inside. There are at least two flavors of VPN, Gateway to Gateway and Client to Gateway. In many cases the gateway-gateway VPN has only primitive rules for limiting connections. For example you only get to pick ports and IP's but lose the option to force user authentication or additional content filtering. You must do that on from a subsequent firewall. Client to gateway VPN usually includes authentication options for the users and often can do other firewall stuff (content filtering). Sometimes the same authentication mechanism can be used for non-VPN users. My favorite layout is: Internet---Router/ACL FW---(Firewall/Gateway-Gateway VPN)---(Authentication/Client-Gateway VPN)---Internal Firewall---Inside stuff. Usually the external router and Gateway-Gateway VPN are rolled into one with ACLs providing primitive firewalling. The internal firewall and Client VPN are rolled into a second box. Internet---(Router/ACL FW/G-G VPN)---(Authentication/C-G VPN/Firewall)---Inside. Ideally the internal box has static routes and no routing protocol is running while the external can have BGP etc. Your mileage will vary with security policy, budget, politics, vendor and existing network design. Adam -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: Wednesday, October 24, 2001 5:34 PM To: Cardona, Alberto; vpn at securityfocus.com; FW-1-MAILINGLIST at beethoven.us.checkpoint.com Subject: RE: [vpn] VPN tunnel termination???? 1. Performance. Let firewalls be firewalls, routers be routers, and VPN devices be VPN devices. The caveat there is price and expediency of deployment. I.e. if you already own a Checkpoint firewall it won't be too difficult to start running a VPN to it. Reasons 2, 3, and 4 make this my least favorite option. 2. Layered security. This architecture goes out the door if you use the same firewall box for your VPN. In my world, VPN boxes have firewalling functionality on them but, are not my company's firewalls. Make sense? 3. Availability. I don't like having ALL my critical devices on one box. Having a single firewall to the internet that is also my VPN box is a viable solution for a small business where cost is critical and security is a residual effect. Not for a mission critical Enterprise. 4. Flexibility. (sometimes read as, extra administrative burden!) For an Enterprise class solution my preference, not that I get my way every time, is to have a border firewall with the VPN device behind that and another firewall behind the VPN. If the VPN device has a firewall on it then the border firewall isn't an absolute necessity but, it certainly adds to the difficulty in compromising the network. There are distinct advantages to having a firewall in front of AND behind the VPN. Having it in front of the VPN provides protection from attempts to compromise the VPN device itself from the outside(Internet) and protection from DoS attacks. I can limit the traffic to only IPSec related protocols and thus prevent attempts to telnet, SSH or whatever directly to the VPN device. Having one behind the VPN provides you with the ability to regulate the traffic coming from within the VPN network. I can't do any traffic filtering or protocol based authentication or filtering when the traffic is still encrypted. But, once I have decrypted it, I can run it through another firewall and then have those options. So, if I want to limit a particular group of users to a particular set of protocols or even systems when they are VPNing in then I can do that with the additional firewall. Hope that helps. Christopher Gripp Systems Engineer Axcelerant "To have a right to do a thing is not at all the same as to be right in doing it." -G.K. Chesterton -----Original Message----- From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com] Sent: Wednesday, October 24, 2001 1:06 PM To: vpn at securityfocus.com; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com' Subject: [vpn] VPN tunnel termination???? Does any anyone know what are the security ramifications if you terminate a VPN tunnel to a router instead of a firewall/router. For example is it safer to do a Check Point/Nokia to Check Point/Nokia or PIX to PIX VPN tunnel OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750). Thanks AC VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From thierry_b at ifrance.com Fri Oct 26 00:46:21 2001 From: thierry_b at ifrance.com (Thierry Blanchard) Date: Thu, 25 Oct 2001 21:46:21 -0700 Subject: [vpn] Thoughts on VPN Message-ID: <000601c15dd9$29a218e0$c806010a@thierry> After reading some articles, I want to make sure that what I think is right. #1: VPN is based on different protocols. #2: Using a layer 2 protocol, main protocols are either PPTP (comes from MS) or L2TP. #3: Because of security holes in PPTP, L2TP is better. #4: Using a layer 3 protocol, the main protocol is IPSec. Knowing that we can't compare L2TP and IPSec (because they reside on different layer), how more secure is IPSec ? Thanks, Thierry. ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif VPN is sponsored by SecurityFocus.com From Reckhard at secunet.de Fri Oct 26 03:24:18 2001 From: Reckhard at secunet.de (Reckhard, Tobias) Date: Fri, 26 Oct 2001 09:24:18 +0200 Subject: [vpn] help!!! Message-ID: <96C102324EF9D411A49500306E06C8D1A56B88@eketsv02.cubis.de> Hi > I'm acquainted with firewalls, routers, networking, Network address > translation, PAT, etc....but really only from an academic point of view > from > readings here and there. I 've no practical experience at all in setting > up > and managing a network be it LAN or WAN. > Get a couple of Linux (or *BSD) boxes, the O'Reilly book on TCP/IP administration, check up on the HOWTOs and you'll get into it. > My real problem is therefore " > seeing " how real equipements are placed. How they are physically > connected. > Most equipment is connected by copper wire, some with fibre. Wireless transmission in LANs is catching on, but still has quite a way to go and poses many security risks. Backbones and WAN links use a multitude of technologies. Get Tanenbaum's book on Computer Networks if you're interested in an introduction to the whole scoop. > Why must there be two IP addreses for a firewall ? For a routeur also ? > Sandy already answered this question. > etc..etc....Most configurations I see in revues give a schematic > representation but don't deal with such basic practical questions and it > doesn't really help me at all. > Well, they assume the reader is beyond the basics. > Also questions which often crop up like : > 1. when I configure a router with network translation, what is actually > " seen " by the outside world (internet) ? > The outside world 'sees' the official addresses. > As the RFC private non routable > addresses of the company are translated, is it just ONLY the firewall IP > public address which is visible to the outside world ? > This depends on the NAT/PAT setup, really. If you've got only one public (official) IP address, then the NAT device, which is typically, but not necessarily a firewall, translates all private addresses to that one public address on outbound packets and back from that one public address to the correct private address for inbound return packets. That's what Cisco calls PAT, Linux calls IP Masquerading and many people term NAT, though the latter is often cause for misconceptions. PAT is a n:1 NAT setup, meaning that n addresses are mapped to 1. The way to keep things separated lies in the modification of the source ports of the packets coming from the n addresses and mapping ports to addresses. There are m:m NAT setups, in which there is a public address for every private address that needs access to the Internet of from it. This doesn't require any port manipulation. Note that there could well be more than m machines on the private side of the NAT, but only m can access the Internet and be accessed from it. > What if internal > servers are accessible to the outside world and dispose of public IP > adresses ? > If you're doing m:m NAT, the NAT device translates the public IP address to a private one and sends the packet to the internal server. It also modifies the source address on outbound packets from that server. With n:1 NAT, you typically need to use 'port forwarding', which means that the NAT device will base its decision on which internal server to send an inbound packet to on the destination port in that packet. E.g. your NAT device could be set up to forward all packets bound to TCP port 25 on it to your internal mail server. It needs to translate the addresses in inbound and outbound packets here as well. > Are these IP adresses seen as is ? > The public addresses are seen, yes. > ie with their own publicly > affected IP addresses to the outside world when they get through the > company > firewall to communicate with another server on internet or is it the > address > of the firewall which is systematically substituded to theses adresses and > therefore the only visible address seen by the outside world ? > See the explanations above. > 2. A routeur is itself a sort of firewall for IP filtering right ?. > A router is an IP level gateway. It can perform firewalling, theoretically, and many routers do. However, your sentence should be the other way around: A firewall is a gateway, more precisely it's a gateway that filters traffic passing through it. As Sandy already noted. > But > a PC connected to a routeur where a software operates some sort of > application filtering is also a firewall right ? > Yes, if traffic passes through it. > When I read articles on > firewall, there aren't mention about what kind of firewall is used. Do I > sound confuse ? > Yes, and you're not alone. In fact, the term 'firewall' can mean practically anything nowadays. You have to check the details in the articles and read between the lines to find out what the firewalls they talk about can actually do. > 3. An ACL on a cisco router allows trafic based on IP source, > destination, port, protocole addresses as well as trafic direction. > Actually, this depends on the type of access list. What you say is true for extended ACLs. > What > does it mean to say that trafic is allowed to circulate only from addresse > source A to destination address B ? If A sends trafic to B, and B replies > to > A, trafic is necessarily a two way issue isn't it ? If the ACL says : only > A--> B, then A will never ever get replies from B since only > unidirectionnel > flow is permitted. Do I sound silly with this question ? > No, you are absolutely right. And for e.g. TCP, the return traffic is inherently important. This is implied by most people when they state things like the above. Also, in stateful filters, you often only specify the direction in which traffic is initiated and the state engine takes care of the return traffic. > 4. And so many other questions in this vein : Sendmail, DNS, .....which > is really fascinating and captivating. But I hope that someone can > enlighten > me on the first three questions. > Check for info on the Web and get the O'Reilly books on the individual topics. At least concerning Sendmail and BIND, they're very good referernces, if not the standard literature. HTH Tobias VPN is sponsored by SecurityFocus.com From dgillett at deepforest.org Fri Oct 26 04:09:47 2001 From: dgillett at deepforest.org (dgillett at deepforest.org) Date: Fri, 26 Oct 2001 01:09:47 -0700 Subject: [vpn] help!!! In-Reply-To: Message-ID: <3BD8B7DB.29372.410D1842@localhost> > Why must there be two IP addreses for a firewall ? For a routeur > also ? A router is a computer that -- besides any other functions it might have -- is configured to accept and forward packets for which it is not the final destination. There's nothing to say that a computer with a single interface cannot do this. However, since in that case every packet *could* have been sent directly to its next destination without being handled by the router, this case is considered somewhat wasteful and not really useful. In the more common case, a router will have interfaces on at least two networks, and its job will be to pass traffic from one network to the other (and, usually, back the other way as well). Since those interfaces are on different networks -- and since part of any routable address identifies the network on which the address resides! -- they must have different addresses. A firewall is a gateway (routers that connect multiple networks are the most common, but not the only, kind of gateway) between two different trust/security domains. If those domains were on the same network/subnet, it would be possible for traffic to flow between the domains without being handled by the firewall. The firewall would not be acting as a security boundary in that case. > 1. when I configure a router with network translation, what is > actually " seen " by the outside world (internet) ? As the RFC > private non routable addresses of the company are translated, is it > just ONLY the firewall IP public address which is visible to the > outside world ? What if internal servers are accessible to the > outside world and dispose of public IP adresses ? Are these IP > adresses seen as is ? ie with their own publicly affected IP > addresses to the outside world when they get through the company > firewall to communicate with another server on internet or is it > the address of the firewall which is systematically substituded to > theses adresses and therefore the only visible address seen by the > outside world ? There are three typical scenarios (simplified): 1. PAT (Port Address Translation) When an internal machine initiates a connection to the outside, the internal origin address and port number are translated to the router's external address and some "random" available port number. The router enters this translation in a table, so when a reply is received on that port number, it can be forwarded to the inside address and port number from which the connection originated. Obviously, this has issues for connectionless protocols, but creating a temporary mapping with a timeout seems to work reasonably well for UDP, for instance. 2. Dynamic NAT Similar, but the router has a pool of external addresses available, and this makes it easier to (a) preserve the originating port number, and/or (b) associate related return traffic with the correct client (e.g., the data channel connection in non-PASV FTP). 3. Static NAT A given external address is paired with a given internal address. This is typically used for externally-visible servers (which, by the way, *ought* to be in a separate trust/security domain from other internal hosts, called a "DMZ"). To answer your question, such a server usually knows itself only by its internal IP address[*], and internal clients may refer to it by that address. OR they may refer to it by external address, in which case their traffic must visit the router to translate the origin to an external address -- and immediately again, to translate the destination to an internal address. [*] Some components may need to know the external address, to deal with things like SSL certificates or protocols that embed address information in the payload and not just in the headers. I did say this description was simplified.... > 2. A routeur is itself a sort of firewall for IP filtering right > ?. But a PC connected to a routeur where a software operates some > sort of application filtering is also a firewall right ? When I > read articles on firewall, there aren't mention about what kind of > firewall is used. Do I sound confuse ? ONE kind of firewall is pretty much a router with packet filtering. BUT: (a) A router is a traffic-transport device, and tends to default to "forward all traffic". A firewall is a *security* device, and should default to "forward NO traffic". Also, modern packet-filter firewalls do "stateful inspection", checking that inbound traffic is part of properly initiated sessions; consumer-grade router packet filters may just check the port number against a static list. (b) The best generic dfinition of firewall is "a component that enforces a security policy". This can be done in several different ways (packet filtering, application proxying), in hardware or in software, on an endpoint host or on some intermediate gateway. I agree that it is unfortunate that network filter software for PCs has been christened by the makers "software firewalls", and even more unfortunate that many users shorten this to "firewalls". > 3. An ACL on a cisco router allows trafic based on IP source, > destination, port, protocole addresses as well as trafic > direction. What does it mean to say that trafic is allowed to > circulate only from addresse source A to destination address B ? If > A sends trafic to B, and B replies to A, trafic is necessarily a > two way issue isn't it ? If the ACL says : only A--> B, then A will > never ever get replies from B since only unidirectionnel flow is > permitted. Do I sound silly with this question ? An ACL, once defined, is then applied separately to each direction (in or out) on each interface. So the application of the ACL in your example says something like "traffic A->B is allowed to come IN on THIS interface". Traffic B->A should never come IN on THIS interface -- if it passes this way at all, it should come in on some other interface, and *may* go OUT on this one. So there should probably be a corresponding B->A rule, but because it applies somewhere else, it will have to be in a different ACL to be useful. David Gillett On 25 Oct 2001, at 10:51, TAN, Raymond wrote: > Hello, > > I'm acquainted with firewalls, routers, networking, Network address > translation, PAT, etc....but really only from an academic point of view from > readings here and there. I 've no practical experience at all in setting up > and managing a network be it LAN or WAN. My real problem is therefore " > seeing " how real equipements are placed. How they are physically connected. > Why must there be two IP addreses for a firewall ? For a routeur also ? > etc..etc....Most configurations I see in revues give a schematic > representation but don't deal with such basic practical questions and it > doesn't really help me at all. > > Also questions which often crop up like : > 1. when I configure a router with network translation, what is actually > " seen " by the outside world (internet) ? As the RFC private non routable > addresses of the company are translated, is it just ONLY the firewall IP > public address which is visible to the outside world ? What if internal > servers are accessible to the outside world and dispose of public IP > adresses ? Are these IP adresses seen as is ? ie with their own publicly > affected IP addresses to the outside world when they get through the company > firewall to communicate with another server on internet or is it the address > of the firewall which is systematically substituded to theses adresses and > therefore the only visible address seen by the outside world ? > 2. A routeur is itself a sort of firewall for IP filtering right ?. But > a PC connected to a routeur where a software operates some sort of > application filtering is also a firewall right ? When I read articles on > firewall, there aren't mention about what kind of firewall is used. Do I > sound confuse ? > 3. An ACL on a cisco router allows trafic based on IP source, > destination, port, protocole addresses as well as trafic direction. What > does it mean to say that trafic is allowed to circulate only from addresse > source A to destination address B ? If A sends trafic to B, and B replies to > A, trafic is necessarily a two way issue isn't it ? If the ACL says : only > A--> B, then A will never ever get replies from B since only unidirectionnel > flow is permitted. Do I sound silly with this question ? > 4. And so many other questions in this vein : Sendmail, DNS, .....which > is really fascinating and captivating. But I hope that someone can enlighten > me on the first three questions. > > Sorry about asking these basic questions which probably shouldn't > figure here. But I'm really at a lost as to where I can find clear practical > answers to my questions because surfing on the net hasn't really help me > find the right (non academic) answers. I find a number of sites but maybe I > didn't open or check up the right ones. I don't know about lists or > newsgroups where I can subscribe so as to get the " feel " of the whole > thing. > > If anyone has got a tutorial, a short practical guide about all > that's necessary to put up a LAN, WAN, VPN, etc...or knows about a site with > good clear concrete examples and explanations, please can you give send me > the url links ? > > I need to know as I'm new on this job and have no way of going > through a course to help me understand the network issue from a very > pragmatic point of view. > > Thanks a lot in advance for any help given. > > RT > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From stephen.hope at energis.com Fri Oct 26 04:09:54 2001 From: stephen.hope at energis.com (Stephen Hope) Date: Fri, 26 Oct 2001 09:09:54 +0100 Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover Message-ID: <73BE32DA9E55D511ACF30050BAEA0487458F11@email.datarange.co.uk> Alberto, i work as a designer / consultant for a UK reseller of both cisco and nokia - so i have some bias for this type of project. 1 point - the Nokia running checkpoint does support OSPF. your friend may be able to extend his VPN to the new site, then interconnect at the 2 hub point and exchange OSPF routes with the cisco system. If nothing else this should reduce capital cost and project complexity, although i think your "all cisco" design could be cheaper in year on year support charges. However, the critical bit with a hybrid system is what happens under fault conditions - the checkpoint topology you describe probably doesnt react effectively to system faults - you description implies there isnt any resilience at the moment, whereas a dual centred star type topology can survive a hub site failure. If you can make the nokia system reroute around a fault (the major fault to worry about is failure of a hub site), then the existing VPN will interwork OK - if you cant resolve that issue then replacement may be the only option. standing back from this i have 2 comments: 1. If voice transport is an issue, then the requirement MUST be written down in the project scope for this migration - your friend should be giving input to that process. Hopefully, if it isnt, there is some broad comment somewhere about "maintain existing services and performance" 2. This is a classic example of a project which needs to be modelled on a bench before anyone tinkers with the real network - you are not going to get clear unambiguous known solutions to this unless you "kick the tires" before you start. It is possible that the proposal for cisco replacement is there to give either a worst case cost model, or a system design which reduces skills, support costs and so on - if you dont know what is important is setting the project up, and make sure existing requirements are taken into account, then this migration is going to be difficult. Finally, check to see if existing uses have been taken into account - Nokia is often used as a remote access gateway, and a change to cisco may involve reworking every RAS client to go from checkpoint VPN client to Cisco...... regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com] > Sent: 25 October 2001 16:55 > To: 'Chris Arnold'; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com '; > vpn at securityfocus.com > Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover > > > What I want to do is for my friend's remote vpn sites (10) to > fail over to > his secondary VPN HUB. > Here is his scenario. > > He just got acquired by another company. > His current company relies on a Full blown IPsec VPN mesh > with a backup > ISDN. > He is running Voice over IP thru his IPsec 3DES VPN. > > This new company relies on a LARGE Frame network that runs > OSPF on Cisco's. > They now want to implement a VPN running OSPF because they use OSPF. > They installed a frame link from his location (New York) to there > headquarters (Detroit). > Now they want to implements a secondary location (Houston) which has a > internet connection and a frame connection > back into the headquarters (Detroit). > They want this secondary location (Houston) to be a backup incase his > location (New York) fails for his remote sites. > > Someone within this new company mentioned that his current > Nokia/Check Point > solution won't work with the > failover design because IPsec can't handle multicast > broadcast traffic (ex > OSPF). > They need to run OSPF for a failover design. > > Their solution is to REMOVE all of his Nokia/Check Point and > implement a > Cisco Router based VPN design. > Cisco's 1750 for Remote sites and 7140 for each Hub. > Each router both remote site and hub will have Cisco's > firewall/IDS package > and encryption module > The Cisco's VPN tunnels are going to be using GRE > encapsulation for the > OSPF. > Incase of a failover to the Secondary HUB and OSPF will > update the Frame > network regarding the failover. > IPsec 3DES for the data encryption. > This new design is not going to be a MESH but a Hub and Spoke. > > His problem with this HUB and SPOKE design is this. > > 1). He is afraid because this design relies on a 1 tier > security design. > The Cisco's routers will be handling the VPN, Routing Protocols, > Firewall, and IDS on each router. > His current design is 2 tier level. > Cisco for the Internet router and Nokia/Check Point for > VPN/Firewall > > 2). He thinks his Voice over IP will fail between remote > sites because the > MESH will be gone. > > 3). The performance an the Cisco. Would they be able to > handle the load? > Since they will be doing everything. (VPN, Routing, and IDS) > > Has anyone implemented this solution? > > > > AC > > > > -----Original Message----- > From: Chris Arnold [mailto:chris.arnold at WheelHouse.com] > Sent: Wednesday, October 24, 2001 10:12 PM > To: 'Cardona, Alberto '; > 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com ' > Subject: RE: [FW-1] VPN with OSPF > > > That depends on what you mean by "running site to site IPsec > VPNs and using > OSPF." Do you mean tunneling OSPF through an IPSec tunnel > for some reason > or using OSPF to route traffic to available VPN endpoints before going > through a tunnel or on your edge routers once your VPN > traffic has been > encapsulated? > > Chris > > -----Original Message----- > From: Cardona, Alberto > To: FW-1-MAILINGLIST at beethoven.us.checkpoint.com > Sent: 10/24/01 4:16 PM > Subject: [FW-1] VPN with OSPF > > Is anyone running site to site IPsec VPNs and using OSPF? > If so did you have to implement GRE? > > > Thanks > > > AC > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From alberto.cardona at cnacm.com Fri Oct 26 13:12:37 2001 From: alberto.cardona at cnacm.com (Cardona, Alberto) Date: Fri, 26 Oct 2001 13:12:37 -0400 Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover Message-ID: <2722EAE39027D5118EF00002A52C1270D1328B@AMWNJX1> As for security involving protecting the VPN appliance. Is safe to assume the Firewall capabilities of the Cisco Router add-on Firewall package (CBAC) is equivalent to Check Point FW-1? We are now comparing Firewall to Firewall. If they are comparable. Then I should be able to replace my Check Point firewall with a Cisco Router using its firewall add-on package. One more thing involving Multicast. Does the IP stack of a Nokia or Cisco support ip-multicast protected by IPSec? I read a document regarding this proposal. It was called "An IPSec-based Host Architecture for Secure Internet Multicast" I guess it is similar to IAB SMuG. Regards, AC -----Original Message----- From: Stephen Hope [mailto:stephen.hope at energis.com] Sent: Friday, October 26, 2001 4:10 AM To: 'Cardona, Alberto'; 'Chris Arnold'; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com '; vpn at securityfocus.com Subject: RE: [vpn] RE: [FW-1] VPN with OSPF for Failover Alberto, i work as a designer / consultant for a UK reseller of both cisco and nokia - so i have some bias for this type of project. 1 point - the Nokia running checkpoint does support OSPF. your friend may be able to extend his VPN to the new site, then interconnect at the 2 hub point and exchange OSPF routes with the cisco system. If nothing else this should reduce capital cost and project complexity, although i think your "all cisco" design could be cheaper in year on year support charges. However, the critical bit with a hybrid system is what happens under fault conditions - the checkpoint topology you describe probably doesnt react effectively to system faults - you description implies there isnt any resilience at the moment, whereas a dual centred star type topology can survive a hub site failure. If you can make the nokia system reroute around a fault (the major fault to worry about is failure of a hub site), then the existing VPN will interwork OK - if you cant resolve that issue then replacement may be the only option. standing back from this i have 2 comments: 1. If voice transport is an issue, then the requirement MUST be written down in the project scope for this migration - your friend should be giving input to that process. Hopefully, if it isnt, there is some broad comment somewhere about "maintain existing services and performance" 2. This is a classic example of a project which needs to be modelled on a bench before anyone tinkers with the real network - you are not going to get clear unambiguous known solutions to this unless you "kick the tires" before you start. It is possible that the proposal for cisco replacement is there to give either a worst case cost model, or a system design which reduces skills, support costs and so on - if you dont know what is important is setting the project up, and make sure existing requirements are taken into account, then this migration is going to be difficult. Finally, check to see if existing uses have been taken into account - Nokia is often used as a remote access gateway, and a change to cisco may involve reworking every RAS client to go from checkpoint VPN client to Cisco...... regards Stephen Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com] > Sent: 25 October 2001 16:55 > To: 'Chris Arnold'; 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com '; > vpn at securityfocus.com > Subject: [vpn] RE: [FW-1] VPN with OSPF for Failover > > > What I want to do is for my friend's remote vpn sites (10) to > fail over to > his secondary VPN HUB. > Here is his scenario. > > He just got acquired by another company. > His current company relies on a Full blown IPsec VPN mesh > with a backup > ISDN. > He is running Voice over IP thru his IPsec 3DES VPN. > > This new company relies on a LARGE Frame network that runs > OSPF on Cisco's. > They now want to implement a VPN running OSPF because they use OSPF. > They installed a frame link from his location (New York) to there > headquarters (Detroit). > Now they want to implements a secondary location (Houston) which has a > internet connection and a frame connection > back into the headquarters (Detroit). > They want this secondary location (Houston) to be a backup incase his > location (New York) fails for his remote sites. > > Someone within this new company mentioned that his current > Nokia/Check Point > solution won't work with the > failover design because IPsec can't handle multicast > broadcast traffic (ex > OSPF). > They need to run OSPF for a failover design. > > Their solution is to REMOVE all of his Nokia/Check Point and > implement a > Cisco Router based VPN design. > Cisco's 1750 for Remote sites and 7140 for each Hub. > Each router both remote site and hub will have Cisco's > firewall/IDS package > and encryption module > The Cisco's VPN tunnels are going to be using GRE > encapsulation for the > OSPF. > Incase of a failover to the Secondary HUB and OSPF will > update the Frame > network regarding the failover. > IPsec 3DES for the data encryption. > This new design is not going to be a MESH but a Hub and Spoke. > > His problem with this HUB and SPOKE design is this. > > 1). He is afraid because this design relies on a 1 tier > security design. > The Cisco's routers will be handling the VPN, Routing Protocols, > Firewall, and IDS on each router. > His current design is 2 tier level. > Cisco for the Internet router and Nokia/Check Point for > VPN/Firewall > > 2). He thinks his Voice over IP will fail between remote > sites because the > MESH will be gone. > > 3). The performance an the Cisco. Would they be able to > handle the load? > Since they will be doing everything. (VPN, Routing, and IDS) > > Has anyone implemented this solution? > > > > AC > > > > -----Original Message----- > From: Chris Arnold [mailto:chris.arnold at WheelHouse.com] > Sent: Wednesday, October 24, 2001 10:12 PM > To: 'Cardona, Alberto '; > 'FW-1-MAILINGLIST at beethoven.us.checkpoint.com ' > Subject: RE: [FW-1] VPN with OSPF > > > That depends on what you mean by "running site to site IPsec > VPNs and using > OSPF." Do you mean tunneling OSPF through an IPSec tunnel > for some reason > or using OSPF to route traffic to available VPN endpoints before going > through a tunnel or on your edge routers once your VPN > traffic has been > encapsulated? > > Chris > > -----Original Message----- > From: Cardona, Alberto > To: FW-1-MAILINGLIST at beethoven.us.checkpoint.com > Sent: 10/24/01 4:16 PM > Subject: [FW-1] VPN with OSPF > > Is anyone running site to site IPsec VPNs and using OSPF? > If so did you have to implement GRE? > > > Thanks > > > AC > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From Burger-Petersaurach at t-online.de Fri Oct 26 18:11:30 2001 From: Burger-Petersaurach at t-online.de (Burger-Petersaurach at t-online.de) Date: Sat, 27 Oct 2001 00:11:30 +0200 (CEST) Subject: [vpn] L2TP Message-ID: Hi folks, is there anywhere in the internet a guide how to setup an L2TP tunnel? There seem to be a lot of information concerning IPsec, but not for L2TP. I looked around for a free implementation for Linux or *BSD and the only one seems to be at http://www.marko.net/l2tp/ But the project seems to be inactive since 1998. Do you know something about it? Thx in advance, chris VPN is sponsored by SecurityFocus.com From ragent at gnuchina.org Sat Oct 27 21:30:00 2001 From: ragent at gnuchina.org (Liu Wen) Date: Sun, 28 Oct 2001 09:30:00 +0800 Subject: [vpn] allocate a physical universal IP to vpn client? Message-ID: <20011028092658.C9EA.RAGENT@gnuchina.org> Now I connect to my vpn server through a pptp tunnel and remote NAT ,but some applications just cannot work with NAT,such as MSN messenger. My vpn server has many unallocated ip in his network, can I directly get a IP and do not route through the vpn server as a gateway? Thank you. Cheers Liu VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Mon Oct 29 13:53:09 2001 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Mon, 29 Oct 2001 12:53:09 -0600 Subject: [vpn] Cisco 300x NAT? Message-ID: Anyone know if the Cisco 3000 Series VPN boxes are able to do 1-1 NAT over a lan-to-lan tunnel? VPN is sponsored by SecurityFocus.com From d.kindred at telesciences.com Mon Oct 29 20:39:12 2001 From: d.kindred at telesciences.com (David L Kindred (Dave)) Date: Mon, 29 Oct 2001 20:39:12 -0500 Subject: [vpn] Anyone familiar with the Intel/HP 3110 VPN Gateway? Message-ID: <15326.1216.171866.484204@gargle.gargle.HOWL> I'm looking for anyone familiar with the following product: Intel NetStructure 3110 VPN Gateway HP VPN Server Appliance sa3110 I'm particularly interested in someone who understands the firewall rules mechanism in these boxes. After reading all of the available documents from Intel and HP I feel like they forgot to write one entire manual. -- David L. Kindred Unix Systems & Network Administrator Telesciences, Inc. Phone: +1 856 642 4184 2000 Midlantic Drive, Suite 410 Fax: +1 856 866 0185 Mount Laurel, NJ 08054 USA VPN is sponsored by SecurityFocus.com From lists at paladinss.com Tue Oct 30 11:20:09 2001 From: lists at paladinss.com (Lists) Date: Tue, 30 Oct 2001 08:20:09 -0800 Subject: [vpn] SecuRemote(VPN) and Outlook Message-ID: <283EBF9762C2FB4DA386E0BA9E46B2B801D36A@paladin-mail.Paladinss.com> I have a client that is having timing out problems with Outlook (configured for Exchange, not POP3) inside a SecuRemote tunnel. They are using LMHosts files for name resolution. If they click update on the SecuRemote software. The connection (Outlook to Exchange will work fine) for 30-90 minutes and then hang. We have to kill Outlook and restart it. This happens regardless of client (Win95/98/Win2000). Any thoughts? TIA, Ben VPN is sponsored by SecurityFocus.com From bkeepper at Paladinss.com Tue Oct 30 12:17:48 2001 From: bkeepper at Paladinss.com (Ben Keepper) Date: Tue, 30 Oct 2001 09:17:48 -0800 Subject: [vpn] SecuRemote(VPN) and Outlook Message-ID: <283EBF9762C2FB4DA386E0BA9E46B2B801D36D@paladin-mail.Paladinss.com> I have a client that is having timing out problems with Outlook (configured for Exchange, not POP3) inside a SecuRemote tunnel. They are using LMHosts files for name resolution. If they click update on the SecuRemote software. The connection (Outlook to Exchange will work fine) for 30-90 minutes and then hang. We have to kill Outlook and restart it. This happens regardless of client (Win95/98/Win2000). Any thoughts? TIA, Ben VPN is sponsored by SecurityFocus.com From JohnC at hcarr.com Tue Oct 30 12:35:27 2001 From: JohnC at hcarr.com (John Clark) Date: Tue, 30 Oct 2001 12:35:27 -0500 Subject: [vpn] L2TP VPN Tunnel between a speedstream 5651 and Microsoft 2000 Se rver Message-ID: <4153089FC906D511B08A00A0CCDA3E04051462@hcarrexch.hcarr.com> I am setting up VPN tunnel between a SpeedStream 5851 and Microsoft 2000 Server. Has anyone done it before. The help and configuration files really do not give much assistance with the setup for the Speedstream side. Any thoughts or ideas would be great. TIA John VPN is sponsored by SecurityFocus.com From jrdepriest at ftb.com Tue Oct 30 12:32:59 2001 From: jrdepriest at ftb.com (DePriest, Jason R.) Date: Tue, 30 Oct 2001 11:32:59 -0600 Subject: [vpn] SecuRemote(VPN) and Outlook Message-ID: We had a problem that was similar to that one; but Outlook would hang after only 3 or 4 minutes. We fixed this issue by modifying the MTU on the client system to something around 1450 instead of letting the system auto-discover. -Jason -----Original Message----- From: Ben Keepper [mailto:bkeepper at Paladinss.com] Sent: Tuesday, October 30, 2001 11:18 AM To: vpn at securityfocus.com Subject: [vpn] SecuRemote(VPN) and Outlook I have a client that is having timing out problems with Outlook (configured for Exchange, not POP3) inside a SecuRemote tunnel. They are using LMHosts files for name resolution. If they click update on the SecuRemote software. The connection (Outlook to Exchange will work fine) for 30-90 minutes and then hang. We have to kill Outlook and restart it. This happens regardless of client (Win95/98/Win2000). Any thoughts? TIA, Ben VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Tue Oct 30 10:39:29 2001 From: tbird at precision-guesswork.com (Tina Bird) Date: Tue, 30 Oct 2001 09:39:29 -0600 (CST) Subject: [vpn] SecuRemote(VPN) and Outlook In-Reply-To: Message-ID: There's information on how to configure the MTU on windows systems on the how-to page at http://kubarb.phsx.ukans.edu/~tbird/vpn.html On Tue, 30 Oct 2001, DePriest, Jason R. wrote: > Date: Tue, 30 Oct 2001 11:32:59 -0600 > From: "DePriest, Jason R." > To: 'Ben Keepper' , vpn at securityfocus.com > Subject: RE: [vpn] SecuRemote(VPN) and Outlook > > We had a problem that was similar to that one; but Outlook would hang after > only 3 or 4 minutes. > We fixed this issue by modifying the MTU on the client system to something > around 1450 instead of letting the system auto-discover. > > -Jason > > -----Original Message----- > From: Ben Keepper [mailto:bkeepper at Paladinss.com] > Sent: Tuesday, October 30, 2001 11:18 AM > To: vpn at securityfocus.com > Subject: [vpn] SecuRemote(VPN) and Outlook > > > I have a client that is having timing out problems with Outlook > (configured for Exchange, not POP3) inside a SecuRemote tunnel. > > They are using LMHosts files for name resolution. > > If they click update on the SecuRemote software. The connection (Outlook > to Exchange will work fine) for 30-90 minutes and then hang. We have to > kill Outlook and restart it. > > This happens regardless of client (Win95/98/Win2000). > > Any thoughts? > > TIA, > > Ben > > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com > "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" LogAnalysis: http://kubarb.phsx.ukans.edu/~tbird/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Tue Oct 30 14:16:27 2001 From: kent at dalliesin.com (Kent Dallas) Date: Tue, 30 Oct 2001 14:16:27 -0500 Subject: [vpn] L2TP In-Reply-To: Message-ID: <001301c16177$60c99270$0200a8c0@DALLASDELL2K> Chris, The only "guides how to setup an L2TP tunnel" would be vendor-specific (that I am aware of). In the "wild", L2TP normally takes one of three forms: * L2TP/IPSec, such as the M$ solution in Win2K and XP (and other vendors interoperating with the native M$ client) * Compulsory L2TP, such as offered by Network Service Providers (these implementations are transparent from an end users perspective, and shouldn't require "how-to" guides, except for the providers themselves) * Voluntary L2TP, which requires a LAC client and LNS (how-to's should be found with the vendor of the client and/or server) Other, more generic, information on L2TP can be found at: Of course, you can look at the RFCs and I-Ds as well. And I am not familiar with the marko.net initiative. I hope something in there is helpful. Good luck, Kent Dallas -----Original Message----- From: Burger-Petersaurach at t-online.de [mailto:Burger-Petersaurach at t-online.de] Sent: Friday, October 26, 2001 6:12 PM To: VPN mailing liste Subject: [vpn] L2TP Hi folks, is there anywhere in the internet a guide how to setup an L2TP tunnel? There seem to be a lot of information concerning IPsec, but not for L2TP. I looked around for a free implementation for Linux or *BSD and the only one seems to be at http://www.marko.net/l2tp/ But the project seems to be inactive since 1998. Do you know something about it? Thx in advance, chris VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From mariusb at xor-t.com Tue Oct 30 15:44:30 2001 From: mariusb at xor-t.com (Marius Banica) Date: Tue, 30 Oct 2001 22:44:30 +0200 Subject: [vpn] RE: SecuRemote(VPN) and Outlook Message-ID: <051355B043694F40A5841A418563E9243266E1@X1XCH1.xor-t.com> What media of connection are u using? Iam using DSL at the same conf and it works fine Client XP Server Exchange 2k Windows 2k pro. -----Original Message----- From: Lists [mailto:lists at paladinss.com] Sent: Tuesday, October 30, 2001 6:20 PM To: FOCUS-MS at securityfocus.com Cc: vpn at securityfocus.com Subject: SecuRemote(VPN) and Outlook I have a client that is having timing out problems with Outlook (configured for Exchange, not POP3) inside a SecuRemote tunnel. They are using LMHosts files for name resolution. If they click update on the SecuRemote software. The connection (Outlook to Exchange will work fine) for 30-90 minutes and then hang. We have to kill Outlook and restart it. This happens regardless of client (Win95/98/Win2000). Any thoughts? TIA, Ben VPN is sponsored by SecurityFocus.com From neale at lowendale.com.au Tue Oct 30 19:52:46 2001 From: neale at lowendale.com.au (Neale Banks) Date: Wed, 31 Oct 2001 11:52:46 +1100 (EST) Subject: [vpn] L2TP In-Reply-To: Message-ID: On Sat, 27 Oct 2001 Burger-Petersaurach at t-online.de wrote: > is there anywhere in the internet a guide how to setup an L2TP tunnel? > There seem to be a lot of information concerning IPsec, but not for > L2TP. There's always the RFCs (e.g. RFC2661) and the Internet-Drafts (e.g. draft-ietf-l2tpext-security-08.txt, draft-ietf-l2tpext-l2tp-base-01.txt, draft-ietf-l2tpext-l2tp-ppp-00.txt etc) - and of course any references therein. But, yes, they are sometimes more theoretical than practical. > I looked around for a free implementation for Linux or *BSD and the only > one seems to be at http://www.marko.net/l2tp/ > > But the project seems to be inactive since 1998. Do you know something > about it? Yes: due to inactivity that codebase was forked. There's now some activity at http://sourceforge.net/projects/l2tpd HTH, Neale. VPN is sponsored by SecurityFocus.com From neale at lowendale.com.au Tue Oct 30 21:35:10 2001 From: neale at lowendale.com.au (Neale Banks) Date: Wed, 31 Oct 2001 13:35:10 +1100 (EST) Subject: [vpn] Thoughts on VPN In-Reply-To: <000601c15dd9$29a218e0$c806010a@thierry> Message-ID: On Thu, 25 Oct 2001, Thierry Blanchard wrote: > After reading some articles, I want to make sure that what I think is right. > > #1: VPN is based on different protocols. > #2: Using a layer 2 protocol, main protocols are either PPTP (comes from MS) > or L2TP. > #3: Because of security holes in PPTP, L2TP is better. > #4: Using a layer 3 protocol, the main protocol is IPSec. > > Knowing that we can't compare L2TP and IPSec (because they reside on > different layer), how more secure is IPSec ? See http://www.ietf.org/internet-drafts/draft-ietf-l2tpext-security-08.txt it has some interesting discussion on these issues in section 2 Seeing as: * it says that PPP authentication (which is what PPTP uses) isn't up to the task * L2TP is the successor to PPTP (and L2F) * Microsoft is strongly represented in the authors (2 of 5) It may be possbile to infer some admission of shortcomings of MSCHAP(-V2) and/or MPPE (both used by MS for PPP). OTOH, there's no specific finger-pointing at these particular implementations. Interestingly, AFAIK Win2k defaults to requiring L2TP/IPSec (registry tweak needed to get around this). IOW if that's a significant cause of interoperability issues. Regards, Neale. VPN is sponsored by SecurityFocus.com From support at allasso.com Wed Oct 31 03:30:46 2001 From: support at allasso.com (Allasso Support) Date: Wed, 31 Oct 2001 08:30:46 -0000 Subject: [vpn] RE: SecuRemote(VPN) and Outlook Message-ID: <1156FD036CD3D411B2EC0090279914610132EDB4@the-exchclst.ai.pri> Ben. The best thing here is to check with your Checkpoint support provider on this one and also make sure you are running the latest SR client and FW SP. If you are in Europe and don't have a support contract give me a shout. I support Checkpoint and a load of other Security products too. We use SR on a variety of platforms and with a variety of applications and have not had any problems. If you restart outlook after 25 minutes does it then fail shortly afterwards or does it "restart the clock"...? IE is it outlook timing out or is it an OS or SR issue. Is the ISP forcing an IP address change...? Does this happen with all your clients or just a small collection of PC's...? Have you tried a different ISP (or just put it outside the FW)...? Just a few little ideas... Kind Regards, Jon Paine. CCSA CCSE. Principal Engineer. Allasso European Support Centre. SMTP - mailto:support at allasso.com WEB - http://support.allasso.com Tel. 0870 366 8533 (+44 118 971 1533) Fax. 0870 366 8544 (+44 118 971 1544) -----Original Message----- From: Lists [mailto:lists at paladinss.com] Sent: 30 October 2001 16:20 To: FOCUS-MS at SECURITYFOCUS.COM Cc: vpn at securityfocus.com Subject: SecuRemote(VPN) and Outlook I have a client that is having timing out problems with Outlook (configured for Exchange, not POP3) inside a SecuRemote tunnel. They are using LMHosts files for name resolution. If they click update on the SecuRemote software. The connection (Outlook to Exchange will work fine) for 30-90 minutes and then hang. We have to kill Outlook and restart it. This happens regardless of client (Win95/98/Win2000). Any thoughts? TIA, Ben Allasso info at Allasso.com http://www.allasso.com DISCLAIMER Any opinions expressed in this email are those of the individual and not necessarily the Company. This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you have received this email in error please notify the IT manager by telephone on +44 (0)118 9711511 or via email to internal.security at allasso.com, including a copy of this message. Please then delete this email and destroy any copies of it. VPN is sponsored by SecurityFocus.com