From seth.robinson at Maine.EDU Fri Mar 1 13:59:14 2002 From: seth.robinson at Maine.EDU (Seth Robinson) Date: Fri, 1 Mar 2002 13:59:14 -0500 Subject: [vpn] XP vpn with a SonicWALL Message-ID: Hey all, I have a SonicWALL SOHO2, and am trying to set a VPN connection with an XP machine. I have tried going through the online documentation that SonicWALL provides ( setting up the security proposal through secpol.msc, rather than installing the VPN client, which will not work with XP), but even if I do everything exactly the same, it still doesn't work. When I ping, it gets as far as saying "negotiating IPSEC" but when I check the log, it says "IPSEC proposal not acceptable". I don't have a lot of experience with VPNs, but I'm sure that if someone pointed me in the right direction, I could probably figure it out. I called SonicWALL, and they basically said that they wouldn't support me, because they didn't know the programs I had on my PC, and they don't support software... :( Anyway, I'm basically wondering if anyone else has tried this. I think that most SonicWALL firmware is the same, so anyone with any experience with even a PRO-VX or anything would probably be a big help. Thanks ALL, Seth m. Robinson VPN is sponsored by SecurityFocus.com From mb at lautechnologies.com Fri Mar 1 20:01:34 2002 From: mb at lautechnologies.com (Matt Ballou) Date: 01 Mar 2002 20:01:34 -0500 Subject: [vpn] Shiva/Intel Firewall and NAT Message-ID: <1015030904.2541.9.camel@mballou> Hello all, I have a question about a Shiva (by Intel) VPN Gateway Plus. I have it setup in NAT mode so 12.XXX.XXX.XXX as outside E0 and 10.10.1.0 255.255.255.0 on E1 inside interface. The ShivaIce Firmware Rev is 6.7 The problem: We have a need to connect several users on the NAT side (10.10.1.0) through the firewall to remote sites using Cisco VPN Ipsec clients. Apparently this is not supported in the 6.7 firmware. Although, the 6.92 patch which requires an Intel contract to obtain, might work. When inquiring about the patch to a local vendor, he let it slip that a work around might be a one to one NAT of an internal IP to a routable external IP. Has anyone tried this and if so could you explain. fyi- Using Intel Netstructure as VPN manager. Thanks, Matt Ballou VPN is sponsored by SecurityFocus.com From kevin.phillips at barco.com Fri Mar 1 08:06:27 2002 From: kevin.phillips at barco.com (Phillips, Kevin) Date: Fri, 1 Mar 2002 08:06:27 -0500 Subject: [vpn] Exchange over VPN - capacity expectations ? Message-ID: <614780D1A9E7D21195970060976A10C14F37E7@ludmex01.barco.com> There is talk of running our exchange over the VPN. We will be using a PIX 506 with 3DES over a T1 starred out to 3 other offices. We have about 35 users in this office that will be using the internet as well as BAAN over the VPN. HQ want to remove our exchange machine and put our mail boxes at another site. Has anyone else done this and how was the performance ? Kevin Phillips IT Systems technician Barco Graphics 40 Westover Road Ludlow, MA 01056 kevin.phillips at barco.com VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Sat Mar 2 09:57:24 2002 From: rtwatson at qwest.net (Travis Watson) Date: Sat, 2 Mar 2002 07:57:24 -0700 Subject: [vpn] Exchange over VPN - capacity expectations ? In-Reply-To: <614780D1A9E7D21195970060976A10C14F37E7@ludmex01.barco.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've never done a setup like that, but I would be somewhat leary of it. Lookout is notoriously slow over IPSec--particularly when every packet is T-DES encrypted. Plus, you will have to make available ports wide open unless you set the high UDP ports within the registry of the exchange server (never done it, but heard it's possible). It could "work," but I would think the performance would be pretty bad. Regards, Travis - -----Original Message----- From: Phillips, Kevin [mailto:kevin.phillips at barco.com] Sent: Friday, March 01, 2002 6:06 AM To: 'vpn at securityfocus.com' Subject: [vpn] Exchange over VPN - capacity expectations ? There is talk of running our exchange over the VPN. We will be using a PIX 506 with 3DES over a T1 starred out to 3 other offices. We have about 35 users in this office that will be using the internet as well as BAAN over the VPN. HQ want to remove our exchange machine and put our mail boxes at another site. Has anyone else done this and how was the performance ? Kevin Phillips IT Systems technician Barco Graphics 40 Westover Road Ludlow, MA 01056 kevin.phillips at barco.com VPN is sponsored by SecurityFocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPIDoL2i85ZG+FfBoEQKdVQCggOWRXB3HRUPomY+gfBBf4vESx9sAoPde OZAM07S9/N5NBhOoypaWOx1m =HxER -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From asanka_lk at yahoo.co.uk Sat Mar 2 10:50:06 2002 From: asanka_lk at yahoo.co.uk (=?iso-8859-1?q?Asanka=20Perera?=) Date: Sat, 2 Mar 2002 15:50:06 +0000 (GMT) Subject: [vpn] Vpn Configuration Message-ID: <20020302155006.17413.qmail@web14105.mail.yahoo.com> Dear Sir, Cutomer's head office we have installed 1720 router which is connecting to our isp router 7200 via leased line. At the momment leased line is working fine. But they want to activate vpn also to link to the head office from dialup connection. What are the configuration we have to do to make this work? And also we have Cisco vpn client v1.1. 1720 f0=213.166.138.33 s0=213.166.139.2 7200 s0=213.166.138.1 Please send me an answer and it will be appriciated. Thanks Asanka __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Sat Mar 2 13:19:03 2002 From: crenner at dynalivery.com (Chuck Renner) Date: Sat, 2 Mar 2002 12:19:03 -0600 Subject: [vpn] Exchange over VPN - capacity expectations ? References: <614780D1A9E7D21195970060976A10C14F37E7@ludmex01.barco.com> Message-ID: <004301c1c216$bd359900$a1356520@internal.dynalivery.com> = > There is talk of running our exchange over the VPN. We will be using a PIX > 506 with 3DES over a T1 starred out to 3 other offices. We have about 35 > users in this office that will be using the internet as well as BAAN over > the VPN. HQ want to remove our exchange machine and put our mail boxes at > another site. > Has anyone else done this and how was the performance ? Well, it would be best to put the Exchange server where most of your users are at. If performance is too much of a pig for the remote users, you could consider setting up additional Exchange servers at the remote offices. You'll have to cough up extra money to MS, but probably cheaper than increasing bandwidth between offices. I recommend you get the O'Reilly book Managing Microsoft Exchange Server, which covers planning for remote sites, multiple servers, etc. My copy is at work, so I can't tell you how well it addresses remote offices talking to a remote server, but if you're running an Exchange box, you should have this book anyway. http://www.oreilly.com/catalog/managexsvr/ VPN is sponsored by SecurityFocus.com From john.haines at erwine.com Sun Mar 3 05:20:17 2002 From: john.haines at erwine.com (John Haines) Date: Sun, 3 Mar 2002 10:20:17 -0000 Subject: [vpn] Exchange over VPN - capacity expectations ? In-Reply-To: <004301c1c216$bd359900$a1356520@internal.dynalivery.com> Message-ID: I would agree that you should place your exchange server where you expect most of your users to be. You could try some clever things to reduce the amount of traffic coming down you encrypted path by using LMHOSTS for servers that are most frequently used and hence reduce some of your WINS and other naming traffic requests. Here is an article to the registry hacks to make exchange and clients communicate over more restrictive ports. This will limit it to 135 TCP and two other TCP ports of your choice. We used this for OWA access as the OWA servers behaves exactly like a MAPI client, just be careful on what ports you sue I picked two unused reserved ports for AppleTalk in the <1023 range as we were never going to use AppleTalk on this machine. http://support.microsoft.com/support/kb/articles/Q259/2/40.ASP http://support.microsoft.com/support/kb/articles/Q155/8/31.ASP Rgds, John Haines -----Original Message----- From: Chuck Renner [mailto:crenner at dynalivery.com] Sent: 02 March 2002 18:19 To: Phillips, Kevin; vpn at securityfocus.com Subject: Re: [vpn] Exchange over VPN - capacity expectations ? = > There is talk of running our exchange over the VPN. We will be using a PIX > 506 with 3DES over a T1 starred out to 3 other offices. We have about 35 > users in this office that will be using the internet as well as BAAN over > the VPN. HQ want to remove our exchange machine and put our mail boxes at > another site. > Has anyone else done this and how was the performance ? Well, it would be best to put the Exchange server where most of your users are at. If performance is too much of a pig for the remote users, you could consider setting up additional Exchange servers at the remote offices. You'll have to cough up extra money to MS, but probably cheaper than increasing bandwidth between offices. I recommend you get the O'Reilly book Managing Microsoft Exchange Server, which covers planning for remote sites, multiple servers, etc. My copy is at work, so I can't tell you how well it addresses remote offices talking to a remote server, but if you're running an Exchange box, you should have this book anyway. http://www.oreilly.com/catalog/managexsvr/ VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Paul.Fletcher at newcastle.ac.uk Sun Mar 3 18:14:39 2002 From: Paul.Fletcher at newcastle.ac.uk (Paul Fletcher) Date: Sun, 3 Mar 2002 23:14:39 -0000 Subject: [vpn] Win XP ICS and VPN: give up, so how do I choose a router? Message-ID: Thanks for replies. To summarise, I have a windows XP box with two network cards, one plugged into a cable modem and the outside world, the other going to a hub and other machines. vpn works great when ICS is off, and vice versa. I can connect through vpn and then enable ICS, the vpn connection gets dropped. It is the underlying connection not the vpn one which I am trying to share. I have switched off the XP firewall. I cannot connect from the ICS host machine, ie the one with two network cards, or any of its clients. I have tried the advanced settings on the shared connection. This allows me to specify : Name or IP address of the computer hosting this service on your network External port number for this service Internal Port number for this service TCP or UDP. I have tried various things here, and I am wondering whether the thing I can't let through is protocol 47? Microsoft do say it should be possible, but not how ... I am ready to give up and take the advice of buying a router - I have seen several: Linksys, Netgear, SMC and others. So can anyone advise on what I should look for in a router - presumably greater control over configuration than winxp allows. Thanks again Paul VPN is sponsored by SecurityFocus.com From friedberg at exs.esb.com Sun Mar 3 23:48:09 2002 From: friedberg at exs.esb.com (Carl Friedberg) Date: Sun, 03 Mar 2002 23:48:09 -0500 Subject: [vpn] Win XP ICS and VPN: give up, so how do I choose a router? Message-ID: <01KEXXKBTMDE8WVZUG@mail2.fwd.com> When you said "I have switched off the XP firewall" you have the reason for buying the router/firewall box. I recommend the SMC Barricade (around $90 or less); be sure you go to www.smc.com and update the firmware before you do anything else. If you have an always-on connection, like DSL or Cable, you need a real firewall; even the SMC box has its limitations. But, it is better than mucking with MS/XP and trying to make it work. Good luck. Carl -----Original Message----- From: Paul Fletcher [mailto:Paul.Fletcher%newcastle.ac.uk at fwd.com] Sent: Sunday, March 03, 2002 6:15 PM To: vpn Subject: [vpn] Win XP ICS and VPN: give up, so how do I choose a router? Thanks for replies. To summarise, I have a windows XP box with two network cards, one plugged into a cable modem and the outside world, the other going to a hub and other machines. vpn works great when ICS is off, and vice versa. I can connect through vpn and then enable ICS, the vpn connection gets dropped. It is the underlying connection not the vpn one which I am trying to share. I have switched off the XP firewall. I cannot connect from the ICS host machine, ie the one with two network cards, or any of its clients. I have tried the advanced settings on the shared connection. This allows me to specify : Name or IP address of the computer hosting this service on your network External port number for this service Internal Port number for this service TCP or UDP. I have tried various things here, and I am wondering whether the thing I can't let through is protocol 47? Microsoft do say it should be possible, but not how ... I am ready to give up and take the advice of buying a router - I have seen several: Linksys, Netgear, SMC and others. So can anyone advise on what I should look for in a router - presumably greater control over configuration than winxp allows. Thanks again Paul VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From bbender at vocollect.com Mon Mar 4 10:34:10 2002 From: bbender at vocollect.com (Brian Bender) Date: Mon, 04 Mar 2002 10:34:10 -0500 Subject: [vpn] Win XP ICS and VPN: give up, so how do I choose a router? References: Message-ID: <3C8393F2.6030107@vocollect.com> Sorry, missed the original thread, but a possible suggestion (apologies if redundant): The default for MS VPN connections is to _not_ "split-tunnel" (gosh, a reasonable default network setting from Redmond?! ), which makes the VPN connection the default route. This might be why your ICS-ing of the underlying connection is tanking on you; the routing tables are getting changed on you? To verify, dig into the advanced settings of your VPN settings and uncheck the box that says something like "use as default gateway/route" or something like that. HTH, - Brian Paul Fletcher wrote: >Thanks for replies. To summarise, I have a windows XP >box with two network cards, one plugged into a cable >modem and the outside world, the other going to a hub and >other machines. vpn works great when ICS is off, and vice >versa. I can connect through vpn and then enable ICS, the >vpn connection gets dropped. It is the underlying connection >not the vpn one which I am trying to share. I have switched >off the XP firewall. I cannot connect from the ICS host machine, >ie the one with two network cards, or any of its clients. >I have tried the advanced settings on the shared connection. >This allows me to specify : >Name or IP address of the computer hosting this service on your network >External port number for this service >Internal Port number for this service >TCP or UDP. > >I have tried various things here, and I am wondering whether >the thing I can't let through is protocol 47? > >Microsoft do say it should be possible, but not how ... > >I am ready to give up and take the advice of buying a router - >I have seen several: Linksys, Netgear, SMC and others. > >So can anyone advise on what I should look for in a router - >presumably greater control over configuration than winxp allows. > >Thanks again > >Paul > > >VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From MLittle at bhsi.com Tue Mar 5 13:55:16 2002 From: MLittle at bhsi.com (Little, Mike (BHS)) Date: Tue, 5 Mar 2002 13:55:16 -0500 Subject: [vpn] Performance question. Message-ID: <02Mar5.155235est.119232@pcbhi266.bhsi.com> All, Thanks to all for your replies to previous questions of mine and, Tina, thanks for providing this service. I'm asking a general question this time. We've had a VPN in place for over 3 years and it is very solid, however I've always fought performance issues. I support the network for a healthcare organization and we have remote transcriptionists who work primarily via a vpn connection from home through ISP dial-up accounts. As a backup we maintain an old RAS server hooked to 28K v.34 modems, which we'd like to eliminate altogether some day. Without getting into a lot of detail, I've had users on the 28K RAS say that they perform much better than through our tunnel after connecting at 49-53K through the ISP. I know that encryption is a huge factor, and I've experimented with different levels but have gone back to using 3DES. We are using Nortel's CES2000 with their IPSec client and our problems are primarily with the dial-ups. Our cable and dsl users are happy. My ping testing results in most times of 200-250ms but they'll fluctuate quite a bit, jumping upwards of 700-800 or above for a few packets. I know it would be impossible to be able to recommend a specific fix, but if anyone would have any thoughts on options to investigate, it would be much appreciated. Thanks, Mike Little Network Services Baptist Healthcare System VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Tue Mar 5 16:42:08 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Tue, 5 Mar 2002 15:42:08 -0600 Subject: [vpn] Performance question. Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187F807@mail.bai.org> Encrypted traffic isn't compressible. Your RAS users are seeing unencrypted 28.8 Kbps plus compression, giving them something more than 56 Kbps, with the lowest latency possible via modem. (Even if you have encryption turned on the dial-up, Microsoft RAS does it's own compression before encryption.) Your ISP users, though, are passing incompressible data at speeds <53 Kbps. With the VPN overhead, they're probably seeing 40 kbps tops, plus experiencing the high latency and traffic irregularities of the internet to boot. Plus high-speed modems often 'train down' to ~33 kbps when they experience line noise. If your traffic is normally highly compressible (mostly text), there's probably an even bigger performance disparity between then two than I illustrated above. For this reason (and ease of deployment), we used to use Microsoft's PPTP for VPN, and now we use L2TP over Ipsec. Both of these protocols compress data before encryption. Strict Ipsec (which your Nortel probably uses) does no compression. Another solution would be to get dial-in accounts from the same ISP that provides your corporate internet connection, so the whole VPN would be on their backbone. We've had this solution in the past, and it was quite workable. HTH, -ryan- > -----Original Message----- > From: Little, Mike (BHS) [mailto:MLittle at bhsi.com] > Sent: Tuesday, March 05, 2002 12:55 PM > To: 'vpn at securityfocus.com' > Subject: [vpn] Performance question. > > > All, > > Thanks to all for your replies to previous questions of mine > and, Tina, thanks for providing this service. > > I'm asking a general question this time. We've had a VPN in > place for over 3 years and it is very solid, however I've > always fought performance issues. I support the network for a > healthcare organization and we have remote transcriptionists > who work primarily via a vpn connection from home through ISP > dial-up accounts. As a backup we maintain an old RAS server > hooked to 28K v.34 modems, which we'd like to eliminate > altogether some day. > > Without getting into a lot of detail, I've had users on the > 28K RAS say that they perform much better than through our > tunnel after connecting at 49-53K through the ISP. I know > that encryption is a huge factor, and I've experimented with > different levels but have gone back to using 3DES. We are > using Nortel's CES2000 with their IPSec client and our > problems are primarily with the dial-ups. Our cable and dsl > users are happy. > > My ping testing results in most times of 200-250ms but > they'll fluctuate quite a bit, jumping upwards of 700-800 or > above for a few packets. > > I know it would be impossible to be able to recommend a > specific fix, but if anyone would have any thoughts on > options to investigate, it would be much appreciated. > > Thanks, > > Mike Little > Network Services > Baptist Healthcare System VPN is sponsored by SecurityFocus.com From michael.johnson at peregrine.com Tue Mar 5 13:20:35 2002 From: michael.johnson at peregrine.com (Michael Johnson) Date: Tue, 5 Mar 2002 10:20:35 -0800 Subject: [vpn] Alternative Ports Message-ID: <7A07623A9E00784F958A5D04CE3C9A7501A382CA@pltcaexc1.remedy.com> Is there a way to use alternative ports besides the 47 & 1723? We are trying to VPN to an outside server from within a corporate firewall. Any thoughts or advice? Sincerely, Mike Johnson VPN is sponsored by SecurityFocus.com From scure at redbulltech.com Tue Mar 5 19:24:24 2002 From: scure at redbulltech.com (Samuel Cure) Date: Tue, 5 Mar 2002 16:24:24 -0800 Subject: [vpn] Performance question. In-Reply-To: <02Mar5.155235est.119232@pcbhi266.bhsi.com> Message-ID: <002001c1c4a5$457ecb70$e601a8c0@sinus> Mike, I made these recommendations once before and hopefully one will help. Of coarse, a decision factor here is based on whether or not you require IPsec VPN solutions. A software-based non IPSec solution: InfoExpress (http://www.infoexpress.com/products/vpn/index.html) has software solution that sits on a dedicated Windows or Unix server and supports Win flavors, Linux, Solaris, and sometimes Macintosh clients. Hardware IPSec solution: I also recommend the Nokia CryptoCluster series for site to site, client to site, and site to 3rd party unmanaged site for its bandwidth performance, policy management, and pricing. The downfall here is they are only offering 5 years support because the Nokia/CheckPoint agreement to roll all VPN into IPSO. Hope this helps. -Sam -----Original Message----- From: Little, Mike (BHS) [mailto:MLittle at bhsi.com] Sent: Tuesday, March 05, 2002 10:55 AM To: 'vpn at securityfocus.com' Subject: [vpn] Performance question. All, Thanks to all for your replies to previous questions of mine and, Tina, thanks for providing this service. I'm asking a general question this time. We've had a VPN in place for over 3 years and it is very solid, however I've always fought performance issues. I support the network for a healthcare organization and we have remote transcriptionists who work primarily via a vpn connection from home through ISP dial-up accounts. As a backup we maintain an old RAS server hooked to 28K v.34 modems, which we'd like to eliminate altogether some day. Without getting into a lot of detail, I've had users on the 28K RAS say that they perform much better than through our tunnel after connecting at 49-53K through the ISP. I know that encryption is a huge factor, and I've experimented with different levels but have gone back to using 3DES. We are using Nortel's CES2000 with their IPSec client and our problems are primarily with the dial-ups. Our cable and dsl users are happy. My ping testing results in most times of 200-250ms but they'll fluctuate quite a bit, jumping upwards of 700-800 or above for a few packets. I know it would be impossible to be able to recommend a specific fix, but if anyone would have any thoughts on options to investigate, it would be much appreciated. Thanks, Mike Little Network Services Baptist Healthcare System VPN is sponsored by SecurityFocus.com --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.325 / Virus Database: 182 - Release Date: 2/19/2002 VPN is sponsored by SecurityFocus.com From ryan at securityfocus.com Tue Mar 5 20:03:25 2002 From: ryan at securityfocus.com (Ryan Russell) Date: Tue, 5 Mar 2002 18:03:25 -0700 (MST) Subject: [vpn] Alternative Ports In-Reply-To: <7A07623A9E00784F958A5D04CE3C9A7501A382CA@pltcaexc1.remedy.com> Message-ID: I believe that 47 isn't a port number, but an IP protocol type. If you're trying to open that as a port number, thaen that is why it isn't working. Ryan On Tue, 5 Mar 2002, Michael Johnson wrote: > Is there a way to use alternative ports besides the 47 & 1723? We are > trying to VPN to an outside server from within a corporate firewall. > > Any thoughts or advice? > > Sincerely, > > Mike Johnson > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Tue Mar 5 16:28:42 2002 From: kent at dalliesin.com (Kent Dallas) Date: Tue, 5 Mar 2002 16:28:42 -0500 Subject: [vpn] Performance question. In-Reply-To: <02Mar5.155235est.119232@pcbhi266.bhsi.com> Message-ID: <000401c1c48c$b9c84560$0800a8c0@DALLASDELL2K> Mike, Is the dial-up ISP the same ISP that provides the Internet connection used by the VPN concentrator? Getting passed between ISPs can provide significant and sporadic performance issues, in addition to the ones you specifically mentioned. MTU/packet fragmentation can also play havoc with VPN performance when bandwidth is already constrained. Just a couple of random thoughts for you to ponder... Kent Dallas -----Original Message----- From: Little, Mike (BHS) [mailto:MLittle at bhsi.com] Sent: Tuesday, March 05, 2002 1:55 PM To: 'vpn at securityfocus.com' Subject: [vpn] Performance question. All, Thanks to all for your replies to previous questions of mine and, Tina, thanks for providing this service. I'm asking a general question this time. We've had a VPN in place for over 3 years and it is very solid, however I've always fought performance issues. I support the network for a healthcare organization and we have remote transcriptionists who work primarily via a vpn connection from home through ISP dial-up accounts. As a backup we maintain an old RAS server hooked to 28K v.34 modems, which we'd like to eliminate altogether some day. Without getting into a lot of detail, I've had users on the 28K RAS say that they perform much better than through our tunnel after connecting at 49-53K through the ISP. I know that encryption is a huge factor, and I've experimented with different levels but have gone back to using 3DES. We are using Nortel's CES2000 with their IPSec client and our problems are primarily with the dial-ups. Our cable and dsl users are happy. My ping testing results in most times of 200-250ms but they'll fluctuate quite a bit, jumping upwards of 700-800 or above for a few packets. I know it would be impossible to be able to recommend a specific fix, but if anyone would have any thoughts on options to investigate, it would be much appreciated. Thanks, Mike Little Network Services Baptist Healthcare System VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Tue Mar 5 20:28:49 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Tue, 5 Mar 2002 18:28:49 -0700 Subject: [vpn] vpn planning Message-ID: I'm not absolutely positive, but I would bet a lot of money that these routers will only pass T-DES traffic--the VPN termination would still be with a host behind them (say, a FreeS/WAN box). If you find out differently, however, please let me know because it would be very interesting for SOHO users. --Travis -----Original Message----- From: mcse4dave at yahoo.com [mailto:mcse4dave at yahoo.com] Sent: Wednesday, February 27, 2002 9:12 AM To: vpn at securityfocus.com Subject: Re: [vpn] vpn planning Hi All, I was wondering if anybody knows if there is any security issues using this new VPN Router from Linksys ( http://www.linksys.com/Products/product.asp?grid=23&prid=411 ) They claim it can support up to 70 tunnels at once. Could they be used instead of more difficult/expensive dedicated servers and such? Has anyone tried these? Seems to me a proper link could be built for about $300.00 ( 2x$150 each ) and it seems very easy to configure. Thanks, David Hennessey ----- Original Message ----- From: "Travis Watson" To: "Steve Hunt" Cc: Sent: Tuesday, February 26, 2002 10:26 PM Subject: RE: [vpn] vpn planning I'm not sure what you are running on the other side, but if you are running FreeS/Wan on both sides (or at least two IPSec capable devices), no client software is necessary. The VPN device will make the distant end look and function like a logical extension of the existing LAN and vice-versa. Two notes: --FreeS/Wan can only do one subnet per secure connection. So if you need to get to 5.5.0.0/16 and 6.6.0.0/16, it will require two different tunnels. Not a big deal, but just so you know. --IPX is bad juju with IPSec. If there is any Novel involved, try to eliminate it or upgrade to 5.1 After the tunnel is up, just have the internal routers point remote end IPs back to the inside IP of the VPN device, and you should be set. Regards, Travis -----Original Message----- From: Steve Hunt [mailto:stephen_hunt at sunguru.com] Sent: Tuesday, February 26, 2002 3:47 PM To: vpn at securityfocus.com Subject: [vpn] vpn planning Hi, I'm planning to install a vpn so that two of our locations can share the same database,and access each other's local network shares. I had planned to use free s/wan with a linux firewall like ipchains for this, setting up a NAT with firewalling rules,then setting up the vpn on that machine. After doing some reading, I see that there's probably more to it. For example,do I need some kind of Windows vpn client for the windows workstations? Is there anyway to make the vpn transparent to the user,such that any traffic to the remote LAN is automatically routed through the vpn? What are some general recommendations,as in what software should I use, how to integrate firewalling into a vpn solution, sample hardware and software setups? Thanks for any info, pointers etc yall can provide! Steve VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From nyjklein at panix.com Wed Mar 6 06:43:31 2002 From: nyjklein at panix.com (Jeff Klein) Date: Wed, 06 Mar 2002 06:43:31 -0500 Subject: [vpn] Re: Performance question. In-Reply-To: <22FD1855C2B16C40A1F6DE406420021E0187F807@mail.bai.org> Message-ID: Hello Ryan On 05-Mar-02, you wrote: > Encrypted traffic isn't compressible. Your RAS users are seeing... True. > data before encryption. Strict Ipsec (which your Nortel probably uses) > does no compression. > Not necessarily true. Some IPsec implementations (such as Alcatel's) implement the IPcomp RFC. This compresses the cleartext before passing it to be encrypted. In fact, some of the IPsec hardware gateways include a hardware compression assist engine. Jeff Klein VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Mar 6 00:59:51 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 5 Mar 2002 21:59:51 -0800 Subject: [vpn] vpn planning Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4B72@guam.corp.axcelerant.com> These boxes are in fact VPN capable. Supporting 3DES, IKE, etc. etc. Haven't tested them yet though. So this isn't a recommendation. -----Original Message----- From: Watson, Travis [mailto:Travis.Watson at Honeywell.com] Sent: Tuesday, March 05, 2002 5:29 PM To: 'mcse4dave at yahoo.com'; vpn at securityfocus.com Subject: RE: [vpn] vpn planning I'm not absolutely positive, but I would bet a lot of money that these routers will only pass T-DES traffic--the VPN termination would still be with a host behind them (say, a FreeS/WAN box). If you find out differently, however, please let me know because it would be very interesting for SOHO users. --Travis -----Original Message----- From: mcse4dave at yahoo.com [mailto:mcse4dave at yahoo.com] Sent: Wednesday, February 27, 2002 9:12 AM To: vpn at securityfocus.com Subject: Re: [vpn] vpn planning Hi All, I was wondering if anybody knows if there is any security issues using this new VPN Router from Linksys ( http://www.linksys.com/Products/product.asp?grid=23&prid=411 ) They claim it can support up to 70 tunnels at once. Could they be used instead of more difficult/expensive dedicated servers and such? Has anyone tried these? Seems to me a proper link could be built for about $300.00 ( 2x$150 each ) and it seems very easy to configure. Thanks, David Hennessey ----- Original Message ----- From: "Travis Watson" To: "Steve Hunt" Cc: Sent: Tuesday, February 26, 2002 10:26 PM Subject: RE: [vpn] vpn planning I'm not sure what you are running on the other side, but if you are running FreeS/Wan on both sides (or at least two IPSec capable devices), no client software is necessary. The VPN device will make the distant end look and function like a logical extension of the existing LAN and vice-versa. Two notes: --FreeS/Wan can only do one subnet per secure connection. So if you need to get to 5.5.0.0/16 and 6.6.0.0/16, it will require two different tunnels. Not a big deal, but just so you know. --IPX is bad juju with IPSec. If there is any Novel involved, try to eliminate it or upgrade to 5.1 After the tunnel is up, just have the internal routers point remote end IPs back to the inside IP of the VPN device, and you should be set. Regards, Travis -----Original Message----- From: Steve Hunt [mailto:stephen_hunt at sunguru.com] Sent: Tuesday, February 26, 2002 3:47 PM To: vpn at securityfocus.com Subject: [vpn] vpn planning Hi, I'm planning to install a vpn so that two of our locations can share the same database,and access each other's local network shares. I had planned to use free s/wan with a linux firewall like ipchains for this, setting up a NAT with firewalling rules,then setting up the vpn on that machine. After doing some reading, I see that there's probably more to it. For example,do I need some kind of Windows vpn client for the windows workstations? Is there anyway to make the vpn transparent to the user,such that any traffic to the remote LAN is automatically routed through the vpn? What are some general recommendations,as in what software should I use, how to integrate firewalling into a vpn solution, sample hardware and software setups? Thanks for any info, pointers etc yall can provide! Steve VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Mar 6 07:23:26 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 6 Mar 2002 06:23:26 -0600 (CST) Subject: [vpn] Freeware Windows IPsec Message-ID: Anyone out there have leads on a freeware Windows IPsec client -- >not< Win2k -- that's available for use outside the US or Canada? PGPNet is limited to US distribution. Thanks for any info -- tbird "I was being patient, but it took too long." - Anya, "Buffy the Vampire Slayer" Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html VPN is sponsored by SecurityFocus.com From syu at ecmwf.int Wed Mar 6 12:33:25 2002 From: syu at ecmwf.int (Ahmed Benallegue) Date: Wed, 06 Mar 2002 17:33:25 +0000 Subject: [vpn] IPSec/VPN capable IOS for Cisco 7500 router References: <4.3.2.7.2.20020206162557.0498a7b8@pop1.yahoo.com> Message-ID: <3C8652E5.75168D21@ecmwf.int> Hi, I am deploying IPSec using a Cisco 7140 router. In order to perform tests, I'd like to use an old Cisco 7500 router (IOS 11.0(9), Flash: 8MB, Proc mem: 32MB) that is not IPSec capable. How can I upgrade the IOS version (and which one should I use) with the minimum cost to have an IPSec software capable router? My aim is to test basic IPSec features as well as X509 standard (as I am a CA). Thanks. -- +-------------------+--------------------------------+ | Ahmed Benallegue | Network Analyst | | ECMWF | e-mail: a.benallegue at ecmwf.int | +-------------------+--------------------------------+ VPN is sponsored by SecurityFocus.com From bugtraq at seifried.org Wed Mar 6 14:53:23 2002 From: bugtraq at seifried.org (Kurt Seifried) Date: Wed, 6 Mar 2002 12:53:23 -0700 Subject: [vpn] Freeware Windows IPsec References: Message-ID: <004801c1c548$9ee7e7c0$6400020a@seifried.org> Uhhh. since when is pgpnet limited to US distribution (kind of funny, I know a lot of non US people that have purchased it and deployed it)? http://seifried.org/security/cryptography/crypto-book/chapter-14.html www.pgpi.org includes the ipsec client. Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.idefense.com/digest.html ----- Original Message ----- From: "Tina Bird" To: Sent: Wednesday, March 06, 2002 5:23 AM Subject: [vpn] Freeware Windows IPsec > Anyone out there have leads on a freeware > Windows IPsec client -- >not< Win2k -- > that's available for use outside the US or > Canada? PGPNet is limited to US distribution. > > Thanks for any info -- tbird > > "I was being patient, but it took too long." - > Anya, "Buffy the Vampire Slayer" > > Log Analysis: http://www.counterpane.com/log-analysis.html > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Wed Mar 6 13:45:48 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Wed, 6 Mar 2002 12:45:48 -0600 Subject: [vpn] Re: Performance question. Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187F816@mail.bai.org> From: Jeff Klein [mailto:nyjklein at panix.com] > > data before encryption. Strict Ipsec (which your Nortel > probably uses) does no compression. > > > Not necessarily true. Some IPsec implementations (such as > Alcatel's) implement the IPcomp RFC. This compresses the > cleartext before passing it to be encrypted. In fact, some of > the IPsec hardware gateways include a hardware compression > assist engine. Well, I did say 'strict Ipsec' ;-), which wouldn't seem to include Ipcomp. I'll check out that RFC - IPcomp sounds like a godsend for some of my sites. I'm pretty sure none of the gear I've got supports it yet, though. VPN is sponsored by SecurityFocus.com From jneedle at redhat.com Wed Mar 6 15:19:32 2002 From: jneedle at redhat.com (Jeff Needle) Date: Wed, 6 Mar 2002 15:19:32 -0500 (EST) Subject: [vpn] Performance question. In-Reply-To: <22FD1855C2B16C40A1F6DE406420021E0187F807@mail.bai.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As far as I recall, the Contivity client has done compression before encryption for years. I'm sure the performance degradation is simply due to the added latency of going over the internet rather than directly through a RAS connection. I'd recommend monitoring a few of the more problematic (and less problematic) connections for a while. Take frequent traceroutes (a tool like mtr on Linux is great for this) and see if you can identify the problem spots. You'll probably see some common congestion points and can consider switching those users to a different ISP who has better peering with the ISP who provides your Contivity connectivity, as Ryan states. They may even cut you a break on the dial-ups if you're already paying them a bundle. j. On Tue, 5 Mar 2002, Ryan Malayter wrote: > Encrypted traffic isn't compressible. Your RAS users are seeing unencrypted > 28.8 Kbps plus compression, giving them something more than 56 Kbps, with > the lowest latency possible via modem. (Even if you have encryption turned > on the dial-up, Microsoft RAS does it's own compression before encryption.) > > Your ISP users, though, are passing incompressible data at speeds <53 Kbps. > With the VPN overhead, they're probably seeing 40 kbps tops, plus > experiencing the high latency and traffic irregularities of the internet to > boot. Plus high-speed modems often 'train down' to ~33 kbps when they > experience line noise. > > If your traffic is normally highly compressible (mostly text), there's > probably an even bigger performance disparity between then two than I > illustrated above. > > For this reason (and ease of deployment), we used to use Microsoft's PPTP > for VPN, and now we use L2TP over Ipsec. Both of these protocols compress > data before encryption. Strict Ipsec (which your Nortel probably uses) does > no compression. > > Another solution would be to get dial-in accounts from the same ISP that > provides your corporate internet connection, so the whole VPN would be on > their backbone. We've had this solution in the past, and it was quite > workable. > > HTH, > -ryan- > > > > -----Original Message----- > > From: Little, Mike (BHS) [mailto:MLittle at bhsi.com] > > Sent: Tuesday, March 05, 2002 12:55 PM > > To: 'vpn at securityfocus.com' > > Subject: [vpn] Performance question. > > > > > > All, > > > > Thanks to all for your replies to previous questions of mine > > and, Tina, thanks for providing this service. > > > > I'm asking a general question this time. We've had a VPN in > > place for over 3 years and it is very solid, however I've > > always fought performance issues. I support the network for a > > healthcare organization and we have remote transcriptionists > > who work primarily via a vpn connection from home through ISP > > dial-up accounts. As a backup we maintain an old RAS server > > hooked to 28K v.34 modems, which we'd like to eliminate > > altogether some day. > > > > Without getting into a lot of detail, I've had users on the > > 28K RAS say that they perform much better than through our > > tunnel after connecting at 49-53K through the ISP. I know > > that encryption is a huge factor, and I've experimented with > > different levels but have gone back to using 3DES. We are > > using Nortel's CES2000 with their IPSec client and our > > problems are primarily with the dial-ups. Our cable and dsl > > users are happy. > > > > My ping testing results in most times of 200-250ms but > > they'll fluctuate quite a bit, jumping upwards of 700-800 or > > above for a few packets. > > > > I know it would be impossible to be able to recommend a > > specific fix, but if anyone would have any thoughts on > > options to investigate, it would be much appreciated. > > > > Thanks, > > > > Mike Little > > Network Services > > Baptist Healthcare System > > VPN is sponsored by SecurityFocus.com > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hnnYoi1dLGmcA0URArWEAJ9xpb3sLbVRsJdPY/d2fRNLP9kx7wCfcbeQ eCteQaSntwg5Z+Xs4ky1yq0= =uI21 -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Wed Mar 6 16:07:34 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Wed, 6 Mar 2002 15:07:34 -0600 (CST) Subject: [vpn] Freeware Windows IPsec In-Reply-To: <009001c1c549$922ea720$6400020a@seifried.org> Message-ID: Kurt, thanks very much for bonking me on the head with this. You're right, there are no download restrictions on the code contained at http:///www.pgpi.org -- I don't know why there's a difference of opinion, but I'll point people here in the future. cheers -- t. On Wed, 6 Mar 2002, Kurt Seifried wrote: > you're talking pgp freeware, or pgp international? hint: international is > the one you want to look at. > > > Kurt Seifried, kurt at seifried.org > A15B BEE5 B391 B9AD B0EF > AEB0 AD63 0B4E AD56 E574 > http://seifried.org/security/ > http://www.idefense.com/digest.html > > ----- Original Message ----- > From: "Tina Bird" > To: "Kurt Seifried" > Sent: Wednesday, March 06, 2002 11:37 AM > Subject: Re: [vpn] Freeware Windows IPsec > > > > according to that MIT web page, the free for non-commercial > > use client is US and canada only. surprised me, too. > > i'll let you know if i figure anything else out. > > > > i would not be surprised at all if the commercial product > > has gone through the government black magic and is therefore > > okay to export... > > > > On Wed, 6 Mar 2002, Kurt Seifried wrote: > > > > > Uhhh. since when is pgpnet limited to US distribution (kind of funny, I > know > > > a lot of non US people that have purchased it and deployed it)? > > > > > > http://seifried.org/security/cryptography/crypto-book/chapter-14.html > > > > > > www.pgpi.org includes the ipsec client. > > > > > > Kurt Seifried, kurt at seifried.org > > > A15B BEE5 B391 B9AD B0EF > > > AEB0 AD63 0B4E AD56 E574 > > > http://seifried.org/security/ > > > http://www.idefense.com/digest.html > > > > > > ----- Original Message ----- > > > From: "Tina Bird" > > > To: > > > Sent: Wednesday, March 06, 2002 5:23 AM > > > Subject: [vpn] Freeware Windows IPsec > > > > > > > > > > Anyone out there have leads on a freeware > > > > Windows IPsec client -- >not< Win2k -- > > > > that's available for use outside the US or > > > > Canada? PGPNet is limited to US distribution. > > > > > > > > Thanks for any info -- tbird > > > > > > > > "I was being patient, but it took too long." - > > > > Anya, "Buffy the Vampire Slayer" > > > > > > > > Log Analysis: http://www.counterpane.com/log-analysis.html > > > > VPN: http://kubarb.phsx.ukans.edu/~tbird/vpn.html > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > VPN is sponsored by SecurityFocus.com From evyncke at cisco.com Wed Mar 6 20:50:44 2002 From: evyncke at cisco.com (Eric Vyncke) Date: Thu, 07 Mar 2002 02:50:44 +0100 Subject: [vpn] IPSec/VPN capable IOS for Cisco 7500 router In-Reply-To: <3C8652E5.75168D21@ecmwf.int> References: <4.3.2.7.2.20020206162557.0498a7b8@pop1.yahoo.com> Message-ID: <4.3.2.7.2.20020307025008.028f5b38@brussels.cisco.com> The 7500 router does not support IPSec. The reason is that the 7500 is a distributed architecture which is not really suitable to run IPSec. -eric At 17:33 6/03/2002 +0000, Ahmed Benallegue wrote: >Hi, > >I am deploying IPSec using a Cisco 7140 router. In order to perform >tests, I'd like to use an old Cisco 7500 router (IOS 11.0(9), Flash: >8MB, Proc mem: 32MB) that is not IPSec capable. How can I upgrade the >IOS version (and which one should I use) with the minimum cost to have >an IPSec software capable router? >My aim is to test basic IPSec features as well as X509 standard (as I am >a CA). > >Thanks. > >-- >+-------------------+--------------------------------+ >| Ahmed Benallegue | Network Analyst | >| ECMWF | e-mail: a.benallegue at ecmwf.int | >+-------------------+--------------------------------+ > >VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From eddie at ualp.com Thu Mar 7 10:15:33 2002 From: eddie at ualp.com (Eddie Harrison) Date: Thu, 7 Mar 2002 09:15:33 -0600 Subject: [vpn] VPN and Browsing at Same Time Message-ID: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. From Patrick.Bryan at abbott.com Fri Mar 8 11:06:32 2002 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Fri, 8 Mar 2002 10:06:32 -0600 Subject: [vpn] Alternative Ports Message-ID: I am not sure if you can use something other than TCP1723 for PPTP, however, 47 is not a port, it is an IP protocol number. That you will have to use to implement PPTP.... ________________________________________ Patrick A. Bryan, CISSP Abbott Laboratories, Worldwide Network Services Dept 0070 Bldg. AP14B (p) (847) / 935 - 9226 (e) patrick.bryan at abbott.com ________________________________________ michael.johnson at per egrine.com To: vpn at securityfocus.com cc: 03/05/2002 07:01 PM Subject: [vpn] Alternative Ports Is there a way to use alternative ports besides the 47 & 1723? We are trying to VPN to an outside server from within a corporate firewall. Any thoughts or advice? Sincerely, Mike Johnson VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Michael.Portz at a1-net.de Fri Mar 8 04:12:31 2002 From: Michael.Portz at a1-net.de (Michael Portz) Date: Fri, 08 Mar 2002 10:12:31 +0100 Subject: [vpn] VPN and Browsing at Same Time References: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Message-ID: <3C88807F.7010304@a1-net.de> Hi Eddie! What client are you using? Most clients let you choose, whether to use your VPN Gateway as "Exclusive Gateway" or not. If you do so, ALL traffic to the Internet is sent via the VPN Gateway. Although this setting is of course more secure (no packets can slip out unencrypted) it poses the mentioned restrictions on your Internet use. There are two solutions: 1. You find the switch in your clients setting and turn it off. 2. You ask your LANs sysop to accept your http-request on the VPN gateway, route it to your LANs internet gateway und pass it into the Internet. Good luck, and remember: We all love to hear success stories! ;) Michael Eddie Harrison wrote: > Hi, > > I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. > > I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. > > Is this typical of VPNs and is there a way around it? > > Thanks in advance for any help. > -- accom GmbH & Co. KG Gruener Weg 100 52070 Aachen Tel: +49 241 918 5228 Fax: +49 241 918 5299 VPN is sponsored by SecurityFocus.com From mcse4dave at yahoo.com Fri Mar 8 11:49:39 2002 From: mcse4dave at yahoo.com (mcse4dave at yahoo.com) Date: Fri, 8 Mar 2002 08:49:39 -0800 Subject: [vpn] VPN and Browsing at Same Time References: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Message-ID: <000a01c1c6c1$3f91ebc0$0201a8c0@WORKGROUP> Hi Sounds like your browser configuration is causing this. I know Outlook shares the connection method with Internet Exploder, but not certain if Lotus operates the same way....Or which browser you are using. Do you have a browser window open BEFORE you open your email program? Dave ----- Original Message ----- From: "Eddie Harrison" To: Sent: Thursday, March 07, 2002 7:15 AM Subject: [vpn] VPN and Browsing at Same Time Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. VPN is sponsored by SecurityFocus.com From Patrick.Bryan at abbott.com Fri Mar 8 11:04:05 2002 From: Patrick.Bryan at abbott.com (Patrick.Bryan at abbott.com) Date: Fri, 8 Mar 2002 10:04:05 -0600 Subject: [vpn] VPN and Browsing at Same Time Message-ID: Does your company use a proxy server? If so, you will need to point your browser to that when you are connected to your VPN.... ________________________________________ Patrick A. Bryan, CISSP Abbott Laboratories, Worldwide Network Services Dept 0070 Bldg. AP14B (p) (847) / 935 - 9226 (e) patrick.bryan at abbott.com ________________________________________ eddie at ualp.co m To: vpn at securityfocus.com cc: 03/07/2002 Subject: [vpn] VPN and Browsing at Same Time 08:54 PM Please respond to eddie Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Fri Mar 8 09:05:08 2002 From: kent at dalliesin.com (Kent Dallas) Date: Fri, 8 Mar 2002 09:05:08 -0500 Subject: [vpn] VPN and Browsing at Same Time In-Reply-To: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Message-ID: <000001c1c6aa$42617df0$0800a8c0@DALLASDELL2K> Eddie, It is typical of VPN implementations, as to allow your remote PC access to the corporate Notes server and the Internet at the same time introduces security concerns for your company. Of course, they should also require that you have current and active anti-virus software loaded on your home PC, and a firewall as well. Having access to the Internet, or at least the web, is a typical requirement for many VPN implementations. This requirement is normally met through one of two methods. The simplest is to relax the concern stated above and allow something called "split tunneling", where your PC would provide both VPN and Internet access at the same time. Even though the capability would reside on your PC, most VPN systems are designed to allow the corporate concentrator to enforce whether it is possible or not (so no need to try this at home, without their cooperation). The second option would be to have all traffic pushed down the VPN tunnel to the enterprise, and the enterprise can either route or proxy your web traffic out their Internet connection. From an engineering/performance perspective, this is less than desirable. From a security perspective, this is a much preferred architecture. However, some companies are not particularly interested in offering ISP service to their employee's home computers via this access method. It is certainly possible that your company already offers an HTTP proxy on their network, and you may only need to configure your browser to use it. If you believe having this capability has an arguable benefit to the company, ask your network administrator about options. Kent Dallas -----Original Message----- From: Eddie Harrison [mailto:eddie at ualp.com] Sent: Thursday, March 07, 2002 10:16 AM To: vpn at securityfocus.com Subject: [vpn] VPN and Browsing at Same Time Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. VPN is sponsored by SecurityFocus.com From jroy at axcelerant.com Fri Mar 8 21:50:14 2002 From: jroy at axcelerant.com (Jerry Roy) Date: Fri, 8 Mar 2002 18:50:14 -0800 Subject: [vpn] VPN tunnel cascading Message-ID: <4EBB5C35607E7F48B4AE162D956666EFC71EFA@guam.corp.axcelerant.com> In the case of Cisco, Yes you can Tunnel Cascade. There are 3 ways to accomplish this: 1) Use a Routing protocol inside of GRE inside of IPSec 2) Create additional "hops" on the head end and summarize the Network (spoke IP space MUST be contiguous) 3) Create an additional Sub-interface on the Head end for every spoke that has a publically routable IP address that can reach each spoke's public address (works with non-contiguous space) Why? So you can backup the configs thru the tunnel. So you can securely telnet thru the tunnel. so you can monitor all sites via SNMP thru the tunnel. my .02 Jerry Roy Axcelerant >-----Original Message----- >From: Travis Watson [mailto:rtwatson at qwest.net] >Sent: Friday, March 08, 2002 5:11 PM >To: Laux, Kurt >Cc: vpn at securityfocus.com >Subject: RE: [vpn] VPN tunnel cascading > > >What is the protocol? (And why would you want to do it?) > >--Travis > >-----Original Message----- >From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] >Sent: Friday, March 08, 2002 3:26 AM >To: 'vpn at securityfocus.com' >Subject: [vpn] VPN tunnel cascading > > >Hi, > >I would like to reach Node B over two VPN tunnels. Is that possible? > > Node A -----> Firewall ====(VPN)====> Firewall ====(VPN)====> Firewall >-----> Node B > >Regards > >Kurt Laux > > > > >VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From crenner at dynalivery.com Thu Mar 7 23:21:00 2002 From: crenner at dynalivery.com (Chuck Renner) Date: Thu, 7 Mar 2002 22:21:00 -0600 Subject: [vpn] VPN and Browsing at Same Time References: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Message-ID: <001101c1c658$a8adaae0$43806620@r2d2> > > I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. > > Is this typical of VPNs and is there a way around it? There are two ways this can be done. 1) Your company enables "split-tunneling" on the VPN device. This allows traffic from your system to the VPN to be encrypted, but not traffic elsewhere. 2) Your company creates routing rules, an internal proxy server, or other method to allow you to get to outside web sites. These will be determined by the capabilities of the VPN device they're using. Another thing that comes to mind, but that I haven't tested, is that some clients, like the Cisco client, allow access to a local LAN even while connected to a remote site with the VPN client. If you have a local network, it should be possible to set up a proxy server on it, and point your browser to it. VPN is sponsored by SecurityFocus.com From eyall at swbell.net Thu Mar 7 22:54:24 2002 From: eyall at swbell.net (Eyal Laks) Date: Thu, 07 Mar 2002 21:54:24 -0600 Subject: [vpn] VPN and Browsing at Same Time In-Reply-To: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Message-ID: You can not browse and being connected to your company at the same time. VPN connectivity just cut your connection to your ISP internet cloud. -----Original Message----- From: Eddie Harrison [mailto:eddie at ualp.com] Sent: Thursday, March 07, 2002 9:16 AM To: vpn at securityfocus.com Subject: [vpn] VPN and Browsing at Same Time Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. VPN is sponsored by SecurityFocus.com From wisyki at yahoo.com Sat Mar 9 21:29:36 2002 From: wisyki at yahoo.com (David) Date: 10 Mar 2002 02:29:36 -0000 Subject: [vpn] Freeswan queries Message-ID: <20020310022936.18469.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020310/fbded7aa/attachment.txt From jsdy at center.osis.gov Fri Mar 8 11:33:51 2002 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Fri, 8 Mar 2002 11:33:51 -0500 Subject: [vpn] VPN and Browsing at Same Time In-Reply-To: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com>; from eddie@ualp.com on Thu, Mar 07, 2002 at 09:15:33AM -0600 References: <007a01c1c5ea$edabc140$1e00a8c0@ualp.com> Message-ID: <20020308113351.C20088@washington.center.osis.gov> On Thu, Mar 07, 2002 at 09:15:33AM -0600, Eddie Harrison wrote: > > Hi, > > I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. > > I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. > > Is this typical of VPNs and is there a way around it? It should be typical of VPNs that they disconnect you from your local network. When I asked around a few years ago, it did not seem to be typical. ;-( As people become more aware of the security implications, things are getting better. [Personal subjective opinion of better, with relation to this one topic only.] As for DNS, they should be providing you with an internal DNS server and route out, along with your new IP address. If they are not, that is a problem on their part. HOWEVER, people are too easy to blame things on DNS! Looking back, you say that the error was "page not found". This is NOT a DNS error! It means that there is a connectivity problem. This means that your company probably cares enough about you guys and your business to have gotten a GOOD firewall [proxy-based]. You need to find out from them what kind of setup is needed while you are on the VPN. Your Navigator browser can store multiple profiles, which you can call up as needed depending on how you are connected. [Wanders off mumbling about how folks think DNS dictionary lookups are some kind of magic, bumping into walls, missing doors, etc.] -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. VPN is sponsored by SecurityFocus.com From eddie at ualp.com Fri Mar 8 10:52:18 2002 From: eddie at ualp.com (Eddie Harrison) Date: Fri, 8 Mar 2002 09:52:18 -0600 Subject: [vpn] RE: VPN and Browsing At The Same Time Message-ID: <000301c1c6b9$3a35ac50$1e00a8c0@ualp.com> Thanks to all who replied, the problem is now fixed and I can browse the internet as well as use my VPN, simultaneously. It was a rather simple fix (if you happened to know what to do.) After a couple of suggestions, I unchecked the "use remote gateway" box in the VPN settings and WALLAH!! I now can do both at the same time. It seems that the VPN was using my company's gateway which happened to be blocked and once the box is unchecked, the ISP's gateway is used. Thanks for all of the help and suggestions. From Kurt.Laux at schweickert.de Fri Mar 8 05:26:29 2002 From: Kurt.Laux at schweickert.de (Laux, Kurt) Date: Fri, 8 Mar 2002 11:26:29 +0100 Subject: [vpn] VPN tunnel cascading Message-ID: Hi, I would like to reach Node B over two VPN tunnels. Is that possible? Node A -----> Firewall ====(VPN)====> Firewall ====(VPN)====> Firewall -----> Node B Regards Kurt Laux -------------- next part -------------- A non-text attachment was scrubbed... Name: Laux, Kurt.vcf Type: application/octet-stream Size: 337 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/vpn/attachments/20020308/3425fa2e/attachment.obj -------------- next part -------------- VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Fri Mar 8 04:38:16 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Fri, 8 Mar 2002 09:38:16 -0000 Subject: [vpn] VPN and Browsing at Same Time Message-ID: <73BE32DA9E55D511ACF30050BAEA048702A8E67B@eisemail.energis.co.uk> Eddie, this is usually a choice when the VPN is set up - it can be turned off or on. the capability is known as "split tunnelling" - i.e. whether your local Internet access is available or not when the VPN connection is active. Stopping you accessing Internet and VPN at the same time improves security for the corporate network. However, it sounds like it isnt working properly anyway - if split tunnelling is forbidden, then normally the enterprise network should provide you with DNS etc and also Internet access (ie your traffic goes across the VPN to them, then out to the Internet there). So you have either a deliberately crippled connection, or it is misconfigured - talk to the VPN admin people to find out what is supposed to happen, and then get the relevant bit fixed. regards Stephen Stephen Hope C. Eng, Senior Network Consultant, stephen.hope at energis.com, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)780 002 2626 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Eddie Harrison [mailto:eddie at ualp.com] > Sent: Thursday, March 07, 2002 3:16 PM > To: vpn at securityfocus.com > Subject: [vpn] VPN and Browsing at Same Time > > > > Hi, > > I'm new to the VPN stuff and don't know exactly how it works > with a typical. I have a problem that I hope someone can help > me with or at least tell me if it's typical and that I'll > have to live with it. > > I have a pc at home that connects via DSL. I have a software > VPN that routes to my company's email server so that I can > receive Lotus Notes email. With the current setup (my > company set this up) I can not browse the web while I am > connected to the VPN to receive email. I receive a "page not > found" error as though there is no DNS available. I must > disconnect the VPN and sometimes even have to reboot before I > can go back to browsing. As you might imagine, this poses a > huge problem in that any link that I receive in an email > can't be used without a copy/paste into the browser once I > have shut the VPN down. > > Is this typical of VPNs and is there a way around it? > > Thanks in advance for any help. > ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From Travis.Watson at Honeywell.com Fri Mar 8 18:43:42 2002 From: Travis.Watson at Honeywell.com (Watson, Travis) Date: Fri, 8 Mar 2002 16:43:42 -0700 Subject: [vpn] VPN and Browsing at Same Time Message-ID: Eddie, It sounds like you are connected via an IPSec VPN and trying to use the VPN client and surf to cnn.com or yahoo at the same time. If not, please disregard. If so, the sysads probably have split-tunneling turned off for security reasons and there is no other way around it unless you configure your browser to surf out through your company gateway (with a proxy pac or whatever). I wouldn't expect them to bend on the split-tunneling issue. Allowing for split-tunneling is bad juju and rarely done (I should hope). The VPN device should point you to internally hosted DNS (if they have it), so don't worry about that. You are probably better off configuring your browser to work on the internal LAN and then toggling on and off for business and home use. That, or use one browser for work and one for home use (IE for one and Netscape for the other, or something like that). Regards, Travis -----Original Message----- From: Eddie Harrison [mailto:eddie at ualp.com] Sent: Thursday, March 07, 2002 8:16 AM To: vpn at securityfocus.com Subject: [vpn] VPN and Browsing at Same Time Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. VPN is sponsored by SecurityFocus.com From Dave_Rypma at manulife.com Fri Mar 8 08:26:13 2002 From: Dave_Rypma at manulife.com (Dave_Rypma at manulife.com) Date: Fri, 8 Mar 2002 08:26:13 -0500 Subject: [vpn] VPN and Browsing at Same Time Message-ID: The problem you are experiencing has 2 likely origins. First, the VPN connection with your office network is probably not allowing "split tunnelling" - a connection to both your normal Internet services and your office network at the same time. That's normal - you wouldn't want someone on the Internet using your machine as a path to your company's network. When split tunnelling isn't allowed, your PC can only see the company network when you're using the VPN. As a result, you can't use your normal path for the browser to access the Internet. That leads to the second problem - a mismatch between your browser's configuration and you company's network configuration. Browsers can connect directly, or they can use a proxy server to connect to the internet. If your company allows you to access the Internet while connected to the VPN (using the company Internet connection, not yours), you probably have a configuration problem; ask your network administrator if you need to make any browser config changes to access the Internet from the company network. If so, you'll need to make those changes before you can connect to the office Internet connection. If not, check to see if your browser is pointing at proxy server provided by your ISP (that was popular during the @Home era); again, you may need to make changes. If your employer doesn't support Internet browsing from the VPN connection (you can also use this method if he does), then you should set up a local replica of you Notes mail database, connect to the VPN just long enough to replicate your mail, then disconnect. Then you can use your own Internet access to browse from mail URL links. That presumes your Notes connection document and hotspot settings are set up for resolving URL links from your mail database. If much of this is meaningless, you should talk to a helpful network or Notes administrator at the office. Or talk to a colleague who's using the same configuration successfully. ---------------------------------------+------------------------------ Dave Rypma, CISSP/SSCP Sr Tech Advisor | "Everything should be as Manulife Information Security Office | simple as possible, but Del'y Stn KC-10, PO Box 800 Stn C | no simpler." Kitchener, ON, N2G 4Y5 | (519) 747-7000 x38610, Fax: 747-6974 | -- Albert Einstein To: "Eddie Harrison" cc: Subject: [vpn] VPN and Browsing at Same Time 2002-03-07 10:15 Please respond to eddie Hi, I'm new to the VPN stuff and don't know exactly how it works with a typical. I have a problem that I hope someone can help me with or at least tell me if it's typical and that I'll have to live with it. I have a pc at home that connects via DSL. I have a software VPN that routes to my company's email server so that I can receive Lotus Notes email. With the current setup (my company set this up) I can not browse the web while I am connected to the VPN to receive email. I receive a "page not found" error as though there is no DNS available. I must disconnect the VPN and sometimes even have to reboot before I can go back to browsing. As you might imagine, this poses a huge problem in that any link that I receive in an email can't be used without a copy/paste into the browser once I have shut the VPN down. Is this typical of VPNs and is there a way around it? Thanks in advance for any help. VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Fri Mar 8 12:21:53 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Fri, 8 Mar 2002 09:21:53 -0800 Subject: [vpn] VPN and Browsing at Same Time Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4B89@guam.corp.axcelerant.com> This is typical of most software VPN deployments. There ARE ways around it. Two VERY GENERAL descriptions are: 1. Enable 'Split or Smart Tunneling' on the VPN concentrator. Not generally a good security practice but, if you have a linksys type NAT box in front of your PC @ home it's not really an issue. 2. Setup the corporate environment to properly route or proxy web requests from VPN users. So the answer to your questions is 'YES'. It is typical and there are ways around it. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Eddie Harrison [mailto:eddie at ualp.com] > Sent: Thursday, March 07, 2002 7:16 AM > To: vpn at securityfocus.com > Subject: [vpn] VPN and Browsing at Same Time > > > > Hi, > > I'm new to the VPN stuff and don't know exactly how it works > with a typical. I have a problem that I hope someone can help > me with or at least tell me if it's typical and that I'll > have to live with it. > > I have a pc at home that connects via DSL. I have a software > VPN that routes to my company's email server so that I can > receive Lotus Notes email. With the current setup (my > company set this up) I can not browse the web while I am > connected to the VPN to receive email. I receive a "page not > found" error as though there is no DNS available. I must > disconnect the VPN and sometimes even have to reboot before I > can go back to browsing. As you might imagine, this poses a > huge problem in that any link that I receive in an email > can't be used without a copy/paste into the browser once I > have shut the VPN down. > > Is this typical of VPNs and is there a way around it? > > Thanks in advance for any help. > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Fri Mar 8 19:57:15 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Fri, 8 Mar 2002 16:57:15 -0800 Subject: [vpn] VPN tunnel cascading Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4B9D@guam.corp.axcelerant.com> That ALL depends on the type of hardware/software and network design being used. I know for certain it works with Redcreek and Netscreen. I'm not sure about others vendors. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] > Sent: Friday, March 08, 2002 2:26 AM > To: 'vpn at securityfocus.com' > Subject: [vpn] VPN tunnel cascading > > > Hi, > > I would like to reach Node B over two VPN tunnels. Is that possible? > > Node A -----> Firewall ====(VPN)====> Firewall > ====(VPN)====> Firewall > -----> Node B > > Regards > > Kurt Laux > > > VPN is sponsored by SecurityFocus.com From jsdy at center.osis.gov Fri Mar 8 20:02:44 2002 From: jsdy at center.osis.gov (Joseph S D Yao) Date: Fri, 8 Mar 2002 20:02:44 -0500 Subject: [vpn] VPN tunnel cascading In-Reply-To: ; from Kurt.Laux@schweickert.de on Fri, Mar 08, 2002 at 11:26:29AM +0100 References: Message-ID: <20020308200244.W20088@washington.center.osis.gov> On Fri, Mar 08, 2002 at 11:26:29AM +0100, Laux, Kurt wrote: > Hi, > > I would like to reach Node B over two VPN tunnels. Is that possible? > > Node A -----> Firewall ====(VPN)====> Firewall ====(VPN)====> Firewall > -----> Node B > > Regards > > Kurt Laux Theoretically, yes. We do it. Check your local security policies, though. -- Joe Yao jsdy at center.osis.gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies. VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Fri Mar 8 20:11:07 2002 From: rtwatson at qwest.net (Travis Watson) Date: Fri, 8 Mar 2002 18:11:07 -0700 Subject: [vpn] VPN tunnel cascading In-Reply-To: Message-ID: What is the protocol? (And why would you want to do it?) --Travis -----Original Message----- From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] Sent: Friday, March 08, 2002 3:26 AM To: 'vpn at securityfocus.com' Subject: [vpn] VPN tunnel cascading Hi, I would like to reach Node B over two VPN tunnels. Is that possible? Node A -----> Firewall ====(VPN)====> Firewall ====(VPN)====> Firewall -----> Node B Regards Kurt Laux VPN is sponsored by SecurityFocus.com From navyseal8 at hotmail.com Fri Mar 8 23:58:37 2002 From: navyseal8 at hotmail.com (Jeremy) Date: 9 Mar 2002 04:58:37 -0000 Subject: [vpn] Fingerprint biometric Message-ID: <20020309045837.15133.qmail@mail.securityfocus.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.shmoo.com/pipermail/vpn/attachments/20020309/df417c35/attachment.txt From Kurt.Laux at schweickert.de Mon Mar 11 11:44:11 2002 From: Kurt.Laux at schweickert.de (Laux, Kurt) Date: Mon, 11 Mar 2002 17:44:11 +0100 Subject: AW: [vpn] VPN tunnel cascading Message-ID: Hi, We use ipSec 3DES VPN connection. Both tunnels als established (one from location A to central location; one from location B to central location) Location A uses a Cisco 1720 VPN Bundle router. Central location uses a Cisco PIX 515UR firewall. Location B uses a Cisco PIX 506 firewall. We would like to connect to a Node B (located in location B) from location A over VPN. Net location A: 192.30.16.0/24 Net location B: 192.30.10.0/24 Net central location: 192.30.0.0/24 Regards Kurt > -----Urspr?ngliche Nachricht----- > Von: Travis Watson [mailto:rtwatson at qwest.net] > Gesendet: Samstag, 9. M?rz 2002 02:11 > An: Laux, Kurt > Cc: vpn at securityfocus.com > Betreff: RE: [vpn] VPN tunnel cascading > > > What is the protocol? (And why would you want to do it?) > > --Travis > > -----Original Message----- > From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] > Sent: Friday, March 08, 2002 3:26 AM > To: 'vpn at securityfocus.com' > Subject: [vpn] VPN tunnel cascading > > > Hi, > > I would like to reach Node B over two VPN tunnels. Is that possible? > > Node A -----> Firewall ====(VPN)====> Firewall > ====(VPN)====> Firewall > -----> Node B > > Regards > > Kurt Laux > > > VPN is sponsored by SecurityFocus.com From somnuk.pulling at aspentech.com Mon Mar 11 13:16:12 2002 From: somnuk.pulling at aspentech.com (Somnuk Pulling) Date: Mon, 11 Mar 2002 12:16:12 -0600 Subject: [vpn] Can a single server run multiple instant of the same version of V PN client? Message-ID: <04F5C10E686CD51188F90008C7A4E9CC02653F8A@cadbury.aspentech.com> I am using Nortel VPN client version 3.7 for a few different physical location. I want to stay connected with location A to work on project A and at the same time launch another Nortel client, and connect to another location B and do my work for project B. Could I do that? If this product cannot do it. Do you know any product the will do that? Could Cisco do this? If yes, how is it work? Thanks, Somnuk Pulling VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Mon Mar 11 16:26:11 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Mon, 11 Mar 2002 13:26:11 -0800 Subject: [vpn] VPN tunnel cascading Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4BAA@guam.corp.axcelerant.com> See Jerry Roy's response. He explained it pretty well for Cisco IOS. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] > Sent: Monday, March 11, 2002 8:44 AM > To: 'Travis Watson' > Cc: 'vpn at securityfocus.com' > Subject: AW: [vpn] VPN tunnel cascading > > > Hi, > > We use ipSec 3DES VPN connection. > Both tunnels als established (one from location A to central > location; one > from location B to central location) > Location A uses a Cisco 1720 VPN Bundle router. > Central location uses a Cisco PIX 515UR firewall. > Location B uses a Cisco PIX 506 firewall. > > We would like to connect to a Node B (located in location B) > from location A > over VPN. > > Net location A: 192.30.16.0/24 > Net location B: 192.30.10.0/24 > Net central location: 192.30.0.0/24 > > Regards > Kurt > > > -----Urspr?ngliche Nachricht----- > > Von: Travis Watson [mailto:rtwatson at qwest.net] > > Gesendet: Samstag, 9. M?rz 2002 02:11 > > An: Laux, Kurt > > Cc: vpn at securityfocus.com > > Betreff: RE: [vpn] VPN tunnel cascading > > > > > > What is the protocol? (And why would you want to do it?) > > > > --Travis > > > > -----Original Message----- > > From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] > > Sent: Friday, March 08, 2002 3:26 AM > > To: 'vpn at securityfocus.com' > > Subject: [vpn] VPN tunnel cascading > > > > > > Hi, > > > > I would like to reach Node B over two VPN tunnels. Is that possible? > > > > Node A -----> Firewall ====(VPN)====> Firewall > > ====(VPN)====> Firewall > > -----> Node B > > > > Regards > > > > Kurt Laux > > > > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Mon Mar 11 19:45:02 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Mon, 11 Mar 2002 16:45:02 -0800 Subject: [vpn] Can a single server run multiple instant of the same version of VPN client? Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4BAC@guam.corp.axcelerant.com> The only ones that I can think of would be any client based on the IRE client (ex. Netscreen). It actually allows multiple SA's that use route based encryption. In other words, which sa is uses depends on the destination route. It's also a real pain to set up compared to the other software VPN clients. Additionally, you are likely up the proverbial creek if both location B and location A have overlapping subnets. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Somnuk Pulling [mailto:somnuk.pulling at aspentech.com] > Sent: Monday, March 11, 2002 10:16 AM > To: vpn at securityfocus.com > Subject: [vpn] Can a single server run multiple instant of the same > version of VPN client? > > > > > I am using Nortel VPN client version 3.7 for a few different physical > location. I want to stay connected with location A to work > on project A > and at the same time launch another Nortel client, and > connect to another > location B and do my work for project B. Could I do that? > If this product > cannot do it. Do you know any product the will do that? > Could Cisco do > this? If yes, how is it work? > > > Thanks, > Somnuk Pulling > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Tue Mar 12 09:02:30 2002 From: rtwatson at qwest.net (Travis Watson) Date: Tue, 12 Mar 2002 07:02:30 -0700 Subject: [vpn] VPN tunnel cascading In-Reply-To: <4EBB5C35607E7F48B4AE162D956666EF7D4BAA@guam.corp.axcelerant.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree. Jerry Roy explained it pretty well. Just one note for the practical side of things, make sure that you (or whoever is doing this) has access to as many of the routers as possible. Trying to have two or three (or more) admins/groups work on this would be a pain. It would be best if one person/group could just do it all. Also, as an editorial, we had a setup similar to this and ended up simplifying it (bypassed one of the cisco's). Though it did "work" originally, it was a huge hassle to have any configuration changes done because multiple groups were invovled and it was hard to know what the other side was doing. It generated mistrust and a bad working relationship. So, if you have to do it like this, go ahead, but try to have exclusive control to avoid finger-pointing. Regards, Travis - -----Original Message----- From: Christopher Gripp [mailto:cgripp at axcelerant.com] Sent: Monday, March 11, 2002 2:26 PM To: Laux, Kurt; Travis Watson Cc: vpn at securityfocus.com Subject: RE: [vpn] VPN tunnel cascading See Jerry Roy's response. He explained it pretty well for Cisco IOS. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] > Sent: Monday, March 11, 2002 8:44 AM > To: 'Travis Watson' > Cc: 'vpn at securityfocus.com' > Subject: AW: [vpn] VPN tunnel cascading > > > Hi, > > We use ipSec 3DES VPN connection. > Both tunnels als established (one from location A to central > location; one > from location B to central location) > Location A uses a Cisco 1720 VPN Bundle router. > Central location uses a Cisco PIX 515UR firewall. > Location B uses a Cisco PIX 506 firewall. > > We would like to connect to a Node B (located in location B) > from location A > over VPN. > > Net location A: 192.30.16.0/24 > Net location B: 192.30.10.0/24 > Net central location: 192.30.0.0/24 > > Regards > Kurt > > > -----Urspr?ngliche Nachricht----- > > Von: Travis Watson [mailto:rtwatson at qwest.net] > > Gesendet: Samstag, 9. M?rz 2002 02:11 > > An: Laux, Kurt > > Cc: vpn at securityfocus.com > > Betreff: RE: [vpn] VPN tunnel cascading > > > > > > What is the protocol? (And why would you want to do it?) > > > > --Travis > > > > -----Original Message----- > > From: Laux, Kurt [mailto:Kurt.Laux at schweickert.de] > > Sent: Friday, March 08, 2002 3:26 AM > > To: 'vpn at securityfocus.com' > > Subject: [vpn] VPN tunnel cascading > > > > > > Hi, > > > > I would like to reach Node B over two VPN tunnels. Is that > > possible? > > > > Node A -----> Firewall ====(VPN)====> Firewall > > ====(VPN)====> Firewall > > -----> Node B > > > > Regards > > > > Kurt Laux > > > > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBPI4Kb2i85ZG+FfBoEQIGEQCeNi6/dXu62sAYWlFUhbwQXUk+oWYAoJpz O1CEOyu76EP7uSsLQ0pjh8Rz =bEGx -----END PGP SIGNATURE----- VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Wed Mar 13 13:13:21 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Wed, 13 Mar 2002 10:13:21 -0800 Subject: [vpn] Broadcast through Cisco 3060 VPN Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4BC4@guam.corp.axcelerant.com> Anyone know if there is a command to allow broadcasts through a Cisco/Altiga 3060 VPN Concentrator? Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton VPN is sponsored by SecurityFocus.com From peter at grole.org Wed Mar 13 14:53:47 2002 From: peter at grole.org (Peter Walker) Date: Wed, 13 Mar 2002 11:53:47 -0800 Subject: [vpn] Cisco 3000/Checkpoint FW-1 renegotiation Message-ID: <4199829.1016020427@[10.17.9.17]> Folks We are having problems with a VPN connection we have to one of our remote sites between a Cisco VPN 3000 concentrator (local) and a checkpoint FW-1 (remote). The problem is that whenever there is an outage at the remote (checkpoint end) the IPSEC tunnel will not renogotiate until we manually reset/disconnect the VPN session at the concentrator end. This is really causing a problem as the cisco end is here in the US and the checkpoint end is in Europe. So whenever there is a problem at the european end, our european site is basically offline until they can call one of us here in the US (at home, in the middle of the night) and have us reset the tunnel. Does anyone have any experience of this problem and how to fix it? Peter VPN is sponsored by SecurityFocus.com From dmercurio at ccgsecurity.com Wed Mar 13 16:41:15 2002 From: dmercurio at ccgsecurity.com (Dante Mercurio) Date: Wed, 13 Mar 2002 16:41:15 -0500 Subject: [vpn] IPSec/VPN capable IOS for Cisco 7500 router Message-ID: <03EA8EE1BD1FAD46A6AB4525406795E1121FBE@ct2001.webcti.local> Rom image: rsp-ik2sv-mz.12.0-3.T Dram: 32 Flash: 16 Part Number: S75CK2-12.0.3T This is the IOS I found with the least requirements for IPSec on the 7500 router, so you will at least have to upgrade your flash. There were about 100 listed for that router according to the IOS matrix. Try the hardware/software compatibility list at Cisco to make sure it has all the features you want: http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl?Introduction=True Good Luck, M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com > -----Original Message----- > From: Ahmed Benallegue [mailto:syu at ecmwf.int] > Sent: Wednesday, March 06, 2002 12:33 PM > To: vpn at securityfocus.com > Subject: [vpn] IPSec/VPN capable IOS for Cisco 7500 router > > > Hi, > > I am deploying IPSec using a Cisco 7140 router. In order to > perform tests, I'd like to use an old Cisco 7500 router (IOS > 11.0(9), Flash: 8MB, Proc mem: 32MB) that is not IPSec > capable. How can I upgrade the IOS version (and which one > should I use) with the minimum cost to have an IPSec software > capable router? My aim is to test basic IPSec features as > well as X509 standard (as I am a CA). > > Thanks. > > -- > +-------------------+--------------------------------+ > | Ahmed Benallegue | Network Analyst | > | ECMWF | e-mail: a.benallegue at ecmwf.int | > +-------------------+--------------------------------+ > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From Sean.McCreanor at didata.com.au Wed Mar 13 18:43:09 2002 From: Sean.McCreanor at didata.com.au (Sean McCreanor) Date: Thu, 14 Mar 2002 10:43:09 +1100 Subject: [vpn] Cisco 3000/Checkpoint FW-1 renegotiation References: <4199829.1016020427@[10.17.9.17]> Message-ID: <3C8FE40D.1070503@didata.com.au> Peter, I have had this problem but in the exact reverse, i.e. when the tunnel is disrupted at the Cisco end, the Firewall-1 gateway will not accept new IPSec SA requests until the existing SA's in the firewall kernel expired. (from memory this was a 4.1 firewall with SP 3). I had to manually flush the tables from the firewall kernel before the tunnel would re-establish with these commands: fw tab -t IKE_SA_table -x fw tab -t ISAKMP_ESP_table -x fw tab -t inbound_SPI ?x I am unsure if this issue has been fixed in a later 4.1 SP or in NG. It may not fix your problem, but I hope it may be of some insight. Regards, Sean. Peter Walker wrote: > Folks > > We are having problems with a VPN connection we have to one of our > remote sites between a Cisco VPN 3000 concentrator (local) and a > checkpoint FW-1 (remote). The problem is that whenever there is an > outage at the remote (checkpoint end) the IPSEC tunnel will not > renogotiate until we manually reset/disconnect the VPN session at the > concentrator end. This is really causing a problem as the cisco end is > here in the US and the checkpoint end is in Europe. So whenever there is > a problem at the european end, our european site is basically offline > until they can call one of us here in the US (at home, in the middle of > the night) and have us reset the tunnel. > > Does anyone have any experience of this problem and how to fix it? > > Peter > > VPN is sponsored by SecurityFocus.com > -- Sean McCreanor Security Engineer Dimension Data Australia 121-127 Harrington Street Sydney Australia 2000 Phone +61 2 8249 5086 Mobile +61 418 485 312 ****************************************************************************** - NOTICE - This message is confidential, and may contain proprietary or legally privileged information. If you have received this email in error, please notify the sender and delete it immediately. Internet communications are not secure. You should scan this message and any attachments for viruses. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments. Dimension Data Australia Pty Limited was formerly known as Com Tech Communications Pty Ltd ****************************************************************************** VPN is sponsored by SecurityFocus.com From ken at kenleon.com Fri Mar 15 10:53:28 2002 From: ken at kenleon.com (Ken Leon) Date: Fri, 15 Mar 2002 08:53:28 -0700 Subject: [vpn] Kyberwin/Kyberpass Message-ID: <3C9218F8.FA1B7692@kenleon.com> I'm looking for some honest feedback on Kyberwin and/or Kyberpass. Anyone have experience with these products? We are about to go into a large DoD implementation using them for VPN over the DoD's new travel system, DTS? Better yet, has anyone worked on DTS (Defense Travel System)? TIA- Ken VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Sat Mar 16 06:11:58 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Sat, 16 Mar 2002 05:11:58 -0600 (CST) Subject: [vpn] IPsec and NAT Message-ID: From fred at avolio.com Thu Mar 14 19:35:35 2002 From: fred at avolio.com (Frederick M Avolio) Date: Thu, 14 Mar 2002 19:35:35 -0500 Subject: No subject Message-ID: Recently TISC Insight, Volume 3, Issue 22, at http://www.tisc2001.com/insight.html#v322, covered the topic of "Pushing IPsec Through NAT" in a column by Lisa Phifer, of Core Competence. VPN is sponsored by SecurityFocus.com From john.haines at erwine.com Sat Mar 16 15:42:58 2002 From: john.haines at erwine.com (John Haines) Date: Sat, 16 Mar 2002 20:42:58 -0000 Subject: [vpn] IPSec/VPN capable IOS for Cisco 7500 router In-Reply-To: <03EA8EE1BD1FAD46A6AB4525406795E1121FBE@ct2001.webcti.local> Message-ID: All this will give you in SSH functionality as you cannot process IPSec across VIP cards. If all you are looking at is testing you can get yourself a low end box which will suffice for a proof of concept. Rgds, John Haines -----Original Message----- From: Dante Mercurio [mailto:dmercurio at ccgsecurity.com] Sent: 13 March 2002 21:41 To: a.benallegue at ecmwf.int; vpn at securityfocus.com Subject: RE: [vpn] IPSec/VPN capable IOS for Cisco 7500 router Rom image: rsp-ik2sv-mz.12.0-3.T Dram: 32 Flash: 16 Part Number: S75CK2-12.0.3T This is the IOS I found with the least requirements for IPSec on the 7500 router, so you will at least have to upgrade your flash. There were about 100 listed for that router according to the IOS matrix. Try the hardware/software compatibility list at Cisco to make sure it has all the features you want: http://www.cisco.com/cgi-bin/Support/CompNav/Index.pl?Introduction=True Good Luck, M. Dante Mercurio, CCNA, MCSE+I, CCSA Consulting Services Manager Continental Consulting Group, LLC www.ccgsecurity.com dmercurio at ccgsecurity.com > -----Original Message----- > From: Ahmed Benallegue [mailto:syu at ecmwf.int] > Sent: Wednesday, March 06, 2002 12:33 PM > To: vpn at securityfocus.com > Subject: [vpn] IPSec/VPN capable IOS for Cisco 7500 router > > > Hi, > > I am deploying IPSec using a Cisco 7140 router. In order to > perform tests, I'd like to use an old Cisco 7500 router (IOS > 11.0(9), Flash: 8MB, Proc mem: 32MB) that is not IPSec > capable. How can I upgrade the IOS version (and which one > should I use) with the minimum cost to have an IPSec software > capable router? My aim is to test basic IPSec features as > well as X509 standard (as I am a CA). > > Thanks. > > -- > +-------------------+--------------------------------+ > | Ahmed Benallegue | Network Analyst | > | ECMWF | e-mail: a.benallegue at ecmwf.int | > +-------------------+--------------------------------+ > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Tue Mar 19 00:03:20 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Mon, 18 Mar 2002 23:03:20 -0600 (CST) Subject: [vpn] new home for VPN Web site Message-ID: Hi all -- The VPN Web site has moved from its long-time home at the University of Kansas to the Shmoo Group server. Please update your bookmarks. I will leave the redirect on kubarb.phsx.ukans.edu in place for the foreseeable future. cheers -- tbird Don't get even -- get odd. Swami Beyondananda Life: http://www.shmoo.com/~tbird Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://vpn.shmoo.com VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Tue Mar 19 11:30:03 2002 From: kent at dalliesin.com (Kent Dallas) Date: Tue, 19 Mar 2002 11:30:03 -0500 Subject: [vpn] Cisco VPN 3000 authentication mechanisms In-Reply-To: <20020319114427.12187.qmail@web12707.mail.yahoo.com> Message-ID: <000201c1cf63$52e536f0$0800a8c0@DALLASDELL2K> Yes. From (http://www.cisco.com/warp/customer/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm): "Full support of current and emerging security standards, including RADIUS, NT Domain Authentication, RSA SecurID, and digital certificates, allows for integration of external authentication systems and interoperability with third-party products" And yes, they can be used together, with group authentication via certs instead of pre-shared secrets, and user authentication via external RADIUS. Kent Dallas -----Original Message----- From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] Sent: Tuesday, March 19, 2002 6:44 AM To: vpn at securityfocus.com Subject: [vpn] Cisco VPN 3000 authentication mechanisms Hi, Can i use PKI certificates alongwith Radius authentication on a VPN 3000 box? TIA, Siddhartha Jain __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Tue Mar 19 06:44:27 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Tue, 19 Mar 2002 11:44:27 +0000 (GMT) Subject: [vpn] Cisco VPN 3000 authentication mechanisms Message-ID: <20020319114427.12187.qmail@web12707.mail.yahoo.com> Hi, Can i use PKI certificates alongwith Radius authentication on a VPN 3000 box? TIA, Siddhartha Jain __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Tue Mar 19 19:42:02 2002 From: kent at dalliesin.com (Kent Dallas) Date: Tue, 19 Mar 2002 19:42:02 -0500 Subject: [vpn] Cisco VPN 3000 authentication mechanisms In-Reply-To: <000201c1cf63$52e536f0$0800a8c0@DALLASDELL2K> Message-ID: <000001c1cfa8$0dd87730$0800a8c0@DALLASDELL2K> It just occurred to me that I sent a CCO link, when the same data was available to the public here: (http://www.cisco.com/warp/public/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm) Sorry for any inconvenience. Kent Dallas -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Tuesday, March 19, 2002 11:30 AM To: 'Siddhartha Jain'; vpn at securityfocus.com Subject: RE: [vpn] Cisco VPN 3000 authentication mechanisms Yes. From (http://www.cisco.com/warp/customer/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm): "Full support of current and emerging security standards, including RADIUS, NT Domain Authentication, RSA SecurID, and digital certificates, allows for integration of external authentication systems and interoperability with third-party products" And yes, they can be used together, with group authentication via certs instead of pre-shared secrets, and user authentication via external RADIUS. Kent Dallas -----Original Message----- From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] Sent: Tuesday, March 19, 2002 6:44 AM To: vpn at securityfocus.com Subject: [vpn] Cisco VPN 3000 authentication mechanisms Hi, Can i use PKI certificates alongwith Radius authentication on a VPN 3000 box? TIA, Siddhartha Jain __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Wed Mar 20 02:54:01 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Wed, 20 Mar 2002 07:54:01 +0000 (GMT) Subject: [vpn] Cisco VPN 3000 authentication mechanisms In-Reply-To: Message-ID: <20020320075401.70650.qmail@web12702.mail.yahoo.com> Hi, Could someone explain how exactly this could be done? A user would have a certificate installed on his laptop/desktop and also, when he connects to the concentrator, he would be prompted for a username/password which would goto Radius for authentication? Siddhartha --- Mary Stevens wrote: > You should be able to do it. It isn't trivial to set > up, and get the > latest version of code for your 3000 concentrator. > Older code on the vpn > concentrator just wouldn't import the certs > correctly for me. > > I did it with openssl certs for server and client. > > Mary Stevens > > On Tue, 19 Mar 2002, [iso-8859-1] Siddhartha Jain > wrote: > > > Hi, > > > > Can i use PKI certificates alongwith Radius > > authentication on a VPN 3000 box? > > > > TIA, > > > > Siddhartha Jain > > > > __________________________________________________ > > Do You Yahoo!? > > Everything you'll ever need on one web page > > from News and Sport to Email and Music Charts > > http://uk.my.yahoo.com > > > > VPN is sponsored by SecurityFocus.com > > > __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Wed Mar 20 14:35:18 2002 From: safieradam at hotmail.com (adam safier) Date: Wed, 20 Mar 2002 14:35:18 -0500 Subject: [vpn] Cisco VPN 3000 authentication mechanisms References: <000001c1cfa8$0dd87730$0800a8c0@DALLASDELL2K> Message-ID: This advertisement does not really specify how the authentication mechanisms interoperate. Specifically, do they have a radius server that will support authentication with Public Key certificates? Until a little while ago Radius could not do PKI authentication. The EAP extemsions may allow it to do this but the only Radius server that I heard of that actually implemented this was Microsoft. Not sure if Keon does this or if they really use LDAP. Check Point does Public key cert authentication by making an LDAP call to fetch the public cert. Radius is used for reusable passwords. So, do any VPN or firewall products actually use Radius and EAP to authenticate using Public Key Certificates? How many Radius servers now support EAP? (Steel Belted was working on it some months ago but I don't know where they are.) Adam ----- Original Message ----- From: "Kent Dallas" To: "'Siddhartha Jain'" ; Sent: Tuesday, March 19, 2002 7:42 PM Subject: RE: [vpn] Cisco VPN 3000 authentication mechanisms > It just occurred to me that I sent a CCO link, when the same data was > available to the public here: > > (http://www.cisco.com/warp/public/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm) > > Sorry for any inconvenience. > > Kent Dallas > > -----Original Message----- > From: Kent Dallas [mailto:kent at dalliesin.com] > Sent: Tuesday, March 19, 2002 11:30 AM > To: 'Siddhartha Jain'; vpn at securityfocus.com > Subject: RE: [vpn] Cisco VPN 3000 authentication mechanisms > > > Yes. > > From > (http://www.cisco.com/warp/customer/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm): > > "Full support of current and emerging security standards, including RADIUS, > NT Domain Authentication, RSA SecurID, and digital certificates, allows for > integration of external authentication systems and interoperability with > third-party products" > > And yes, they can be used together, with group authentication via certs > instead of pre-shared secrets, and user authentication via external RADIUS. > > Kent Dallas > > -----Original Message----- > From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] > Sent: Tuesday, March 19, 2002 6:44 AM > To: vpn at securityfocus.com > Subject: [vpn] Cisco VPN 3000 authentication mechanisms > > > Hi, > > Can i use PKI certificates alongwith Radius > authentication on a VPN 3000 box? > > TIA, > > Siddhartha Jain > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Wed Mar 20 14:49:05 2002 From: kent at dalliesin.com (Kent Dallas) Date: Wed, 20 Mar 2002 14:49:05 -0500 Subject: [vpn] Cisco VPN 3000 authentication mechanisms In-Reply-To: Message-ID: <000401c1d048$4ba6f460$0800a8c0@DALLASDELL2K> Adam, The original question was "Can I", which my post answered. The answer to "How can I" is more complicated. Again, I would point you to the Cisco 3000 documentation for "how" (also available on the website ) To address your points, no, it is not the RADIUS server that is authenticating with digital certificates. You can setup the concentrator and the clients to use certificates for group authentication (no RADIUS involved). You can also setup the concentrator to verify user passwords to an external RADIUS server (not necessarily using EAP). You can also use a limited local user database as well. RADIUS and PKI, at least with regards to the Cisco 3000, don't "interoperate", they complement each other. And LDAP is simply a method of retrieving certificates from an external directory (which may also be used, btw). I don't know the current state of EAP support by RADIUS vendors. Any one else care to share? Kent Dallas -----Original Message----- From: adam safier [mailto:safieradam at hotmail.com] Sent: Wednesday, March 20, 2002 2:35 PM To: kdallas at dalliesin.com; 'Siddhartha Jain'; vpn at securityfocus.com Subject: Re: [vpn] Cisco VPN 3000 authentication mechanisms This advertisement does not really specify how the authentication mechanisms interoperate. Specifically, do they have a radius server that will support authentication with Public Key certificates? Until a little while ago Radius could not do PKI authentication. The EAP extemsions may allow it to do this but the only Radius server that I heard of that actually implemented this was Microsoft. Not sure if Keon does this or if they really use LDAP. Check Point does Public key cert authentication by making an LDAP call to fetch the public cert. Radius is used for reusable passwords. So, do any VPN or firewall products actually use Radius and EAP to authenticate using Public Key Certificates? How many Radius servers now support EAP? (Steel Belted was working on it some months ago but I don't know where they are.) Adam ----- Original Message ----- From: "Kent Dallas" To: "'Siddhartha Jain'" ; Sent: Tuesday, March 19, 2002 7:42 PM Subject: RE: [vpn] Cisco VPN 3000 authentication mechanisms > It just occurred to me that I sent a CCO link, when the same data was > available to the public here: > > (http://www.cisco.com/warp/public/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm) > > Sorry for any inconvenience. > > Kent Dallas > > -----Original Message----- > From: Kent Dallas [mailto:kent at dalliesin.com] > Sent: Tuesday, March 19, 2002 11:30 AM > To: 'Siddhartha Jain'; vpn at securityfocus.com > Subject: RE: [vpn] Cisco VPN 3000 authentication mechanisms > > > Yes. > > From > (http://www.cisco.com/warp/customer/cc/pd/hb/vp3000/prodlit/vpn3k_ov.htm): > > "Full support of current and emerging security standards, including RADIUS, > NT Domain Authentication, RSA SecurID, and digital certificates, allows for > integration of external authentication systems and interoperability with > third-party products" > > And yes, they can be used together, with group authentication via certs > instead of pre-shared secrets, and user authentication via external RADIUS. > > Kent Dallas > > -----Original Message----- > From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk] > Sent: Tuesday, March 19, 2002 6:44 AM > To: vpn at securityfocus.com > Subject: [vpn] Cisco VPN 3000 authentication mechanisms > > > Hi, > > Can i use PKI certificates alongwith Radius > authentication on a VPN 3000 box? > > TIA, > > Siddhartha Jain > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > > > > > VPN is sponsored by SecurityFocus.com > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Wed Mar 20 16:38:19 2002 From: safieradam at hotmail.com (Adam Safier) Date: Wed, 20 Mar 2002 16:38:19 -0500 Subject: [vpn] PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms References: <20020320075401.70650.qmail@web12702.mail.yahoo.com> Message-ID: Not a Cisco answere but here is how the (non-cisco) system I'm working on works. - It has the cert on a smart card at the users PC. If you don't care about two factor authentication you could use the local browser certificate store or Microsoft store. - The VPN software uses the private key to sign and encrypt a message to the VPN gateway. - The users password is only used to provide access to the local certificate store so the private key can be used. - The VPN gateway gets the authentication request and does a lookup in an LDAP accessible directory for the users DN, which it got from the certificate presented in the request. - The LDAP returns a copy of the users certificate to the gateway. - The gateway checks a CRL for cert validity. - If the private key matches the public key and the CRL does not contain a revocation and the expiration dates match etc. then the user is valid and is allowed to connect to internal systems. No Radius in the mix. If anyone knows of a VPN that can do Radius EAP to do certificates please share with the list. Adam ----- Original Message ----- From: "Siddhartha Jain" To: Sent: Wednesday, March 20, 2002 2:54 AM Subject: Re: [vpn] Cisco VPN 3000 authentication mechanisms > Hi, > > Could someone explain how exactly this could be done? > > A user would have a certificate installed on his > laptop/desktop and also, when he connects to the > concentrator, he would be prompted for a > username/password which would goto Radius for > authentication? > > Siddhartha > > --- Mary Stevens wrote: > You > should be able to do it. It isn't trivial to set > > up, and get the > > latest version of code for your 3000 concentrator. > > Older code on the vpn > > concentrator just wouldn't import the certs > > correctly for me. > > > > I did it with openssl certs for server and client. > > > > Mary Stevens > > > > On Tue, 19 Mar 2002, [iso-8859-1] Siddhartha Jain > > wrote: > > > > > Hi, > > > > > > Can i use PKI certificates alongwith Radius > > > authentication on a VPN 3000 box? > > > > > > TIA, > > > > > > Siddhartha Jain > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Everything you'll ever need on one web page > > > from News and Sport to Email and Music Charts > > > http://uk.my.yahoo.com > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Wed Mar 20 17:40:17 2002 From: kent at dalliesin.com (Kent Dallas) Date: Wed, 20 Mar 2002 17:40:17 -0500 Subject: [vpn] PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms Message-ID: <000101c1d061$65be73f0$0800a8c0@DALLASDELL2K> Originally sent with digital signature applied, but the list (or Tina!) won't accept it. Plain text version below: -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Wednesday, March 20, 2002 5:19 PM To: 'Adam Safier'; 'vpn at securityfocus.com' Subject: RE: [vpn] PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms Adam, A few points on your post...see inline comments. >-----Original Message----- >From: Adam Safier [mailto:safieradam at hotmail.com] >Sent: Wednesday, March 20, 2002 4:38 PM >To: Siddhartha Jain; vpn at securityfocus.com >Subject: [vpn] PKI authentication with VPN - was Cisco VPN 3000 >authentication mechanisms > > >Not a Cisco answere but here is how the (non-cisco) system I'm working on >works. > >- It has the cert on a smart card at the users PC. If you don't care about >two factor authentication you could use the local browser certificate store >or Microsoft store. Whether the private key is stored on a smart card versus a hard drive certificate store does not directly relate to whether it is a two-factor authentication. It may have security implications to the strength of one factor (the "something you have"), but a token alone does not make it "two-factor". >- The VPN software uses the private key to sign and encrypt a message to the >VPN gateway. Nit: I doubt the software actually signs AND encrypts a message, versus simply signing a hash (and yes, signing is an encryption process, but an asymmetric one). Note that this email is signed, but not encrypted (and I had to enter a password to send it, with no smart card). >- The users password is only used to provide access to the local certificate >store so the private key can be used. Which also doesn't make it "two-factor". The VPN software doesn't care where the key is stored, or how it gains access to it. While the effect in the implementation is that the user must know their password and have their token, the VPN only sees the digital certificate factor, not the password. The same, btw, may apply to private keys stored on the hard drive (like the MS cert store). >- The VPN gateway gets the authentication request and does a lookup in an >LDAP accessible directory for the users DN, which it got from the >certificate presented in the request. >- The LDAP returns a copy of the users certificate to the gateway. If the gateway received the certificate as part of the request, why does it need to use LDAP? What is it retrieving from the directory? Normally, one would use a directory to eliminate the need to transfer the certificate (or chain) in the request. >- The gateway checks a CRL for cert validity. >- If the private key matches the public key and the CRL does not contain a >revocation and the expiration dates match etc. then the user is valid and is >allowed to connect to internal systems. Based only on a single factor: the verification of the digital certificate signature. And I'm sure you don't mean that the private key matches the public key, but rather, the resulting hash matches. > >No Radius in the mix. > The Cisco implementation, and most other IPSec implementations, do all the above, plus allow for a user authentication via RADIUS for a second factor. >If anyone knows of a VPN that can do Radius EAP to do certificates please >share with the list. > >Adam Kent Dallas VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Wed Mar 20 20:21:11 2002 From: safieradam at hotmail.com (Adam Safier) Date: Wed, 20 Mar 2002 20:21:11 -0500 Subject: [vpn] PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms References: <000101c1d061$65be73f0$0800a8c0@DALLASDELL2K> Message-ID: Both you messages made it. My comments are also in line. This is getting long. ----- Original Message ----- From: "Kent Dallas" To: "'Adam Safier'" ; Sent: Wednesday, March 20, 2002 5:40 PM Subject: RE: [vpn] PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms > Originally sent with digital signature applied, but the list (or Tina!) > won't accept it. > > Plain text version below: > > > A few points on your post...see inline comments. > > >-----Original Message----- > >From: Adam Safier [mailto:safieradam at hotmail.com] > >Sent: Wednesday, March 20, 2002 4:38 PM > >To: Siddhartha Jain; vpn at securityfocus.com > >Subject: [vpn] PKI authentication with VPN - was Cisco VPN 3000 > >authentication mechanisms > > > > > >Not a Cisco answere but here is how the (non-cisco) system I'm working > on > >works. > > > >- It has the cert on a smart card at the users PC. If you don't care > about > >two factor authentication you could use the local browser certificate > store > >or Microsoft store. > > Whether the private key is stored on a smart card versus a hard drive > certificate store does not directly relate to whether it is a two-factor > authentication. It may have security implications to the strength of > one factor (the "something you have"), but a token alone does not make > it "two-factor". Is it a matter of interpertation or is there a "standards" definition of two-factor that I missed? I always thought of it as "something you have and something you know". You have to have the card (1) and you have to have the password to access the key within X tries (2). Your definition would require carrying the something you know all the way to the gateway or application. Actually 2 items - the second password and the digital signature. This is the first I've heard of a system that would do both. I'm not sure it would actually improve on the strength of the authentication provided by the certificate other than that you have multiple passwords. If I had a fingerprint open the certificate I would not want to transmit the fingerprint vectors along with the signed request, particularly in the clear. I would want to keep it local. I'll have to think about that. > > >- The VPN software uses the private key to sign and encrypt a message > to the > >VPN gateway. > > Nit: I doubt the software actually signs AND encrypts a message, versus > simply signing a hash (and yes, signing is an encryption process, but an > asymmetric one). Note that this email is signed, but not encrypted (and > I had to enter a password to send it, with no smart card). Hmm... I'll have to double check if they use the user's public key to encrypt or just sign the request. I've been told they do encrypt the exchange but it may be via a server and client cert or a propriatary mechanism. > >- The users password is only used to provide access to the local > certificate > >store so the private key can be used. > > Which also doesn't make it "two-factor". The VPN software doesn't care > where the key is stored, or how it gains access to it. While the effect > in the implementation is that the user must know their password and have > their token, the VPN only sees the digital certificate factor, not the > password. The same, btw, may apply to private keys stored on the hard > drive (like the MS cert store). Back to the definition of "two-factor". I guess you could consider the hard drive or PC as "something you have" but most people I dealt with don't. The PC files could be duplicated and cracking can be tried many times. Often the PC is out of your control. The key never leaves the smart card (with the correct type of card you send data to it and it does the signing). I guess many discussions of "two-factor" don't deal with the strength of the second factor, and they should. > >- The VPN gateway gets the authentication request and does a lookup in > an > >LDAP accessible directory for the users DN, which it got from the > >certificate presented in the request. > >- The LDAP returns a copy of the users certificate to the gateway. > > If the gateway received the certificate as part of the request, why does > it need to use LDAP? What is it retrieving from the directory? > Normally, one would use a directory to eliminate the need to transfer > the certificate (or chain) in the request. It does not have to be LDAP in theory but the implementation I'm working with uses that as the Data base access protocol. It actually retrieves the users certificate and public key which it uses to check the request signature. The correct DN must be in the "approved" database and must have the correct certificate so the VPN can get the correct public key. At least that is my interpertation of what I read or was told - alzheimers is setting in. If I find otherwise in testing I'll have to share. Seems very logical. > >- The gateway checks a CRL for cert validity. > >- If the private key matches the public key and the CRL does not > contain a > >revocation and the expiration dates match etc. then the user is valid > and is > >allowed to connect to internal systems. > > Based only on a single factor: the verification of the digital > certificate signature. And I'm sure you don't mean that the private key > matches the public key, but rather, the resulting hash matches. The digital signature proves that you 1: have the password 2: have the card. But yes, the signature is verified. > >No Radius in the mix. > > > > The Cisco implementation, and most other IPSec implementations, do all > the above, plus allow for a user authentication via RADIUS for a second > factor. The system I'm working with can do SecureID, S/key radius, etc.etc. but I have never seen a dual authentication - i.e. password + Tacacs+ or PKI + password on a single user authentication. You can have different users using different methods but it only autheticates the user once based on the protocol defined for that user. Most organizations simply use the strongest method that they are willing to fund/deal with. Maybe military places might go for triple or more authentication and it's good to know if Cisco really can do this. The real use I can see for this is if you have one user that accesses system A using one authentication method and then system B behind the same VPN gateway that requires a stronger authentication method and the authentication is passed to the end system. Is this part of Cisco Secure or is it part of the stand alone concentrator? BTW, I may be out for a while and not reply to your next reply. Adam VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Thu Mar 21 10:15:56 2002 From: kent at dalliesin.com (Kent Dallas) Date: Thu, 21 Mar 2002 10:15:56 -0500 Subject: [vpn] Two Factor Authentication, was PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms In-Reply-To: Message-ID: <000001c1d0eb$4daeae30$0800a8c0@DALLASDELL2K> Adam, Allow me to explain my reasoning more clearly. There are three basic types of authenticators: something you know (PINS, passwords, shared secrets), something you have (tokens, passport, drivers license), and something you are (biometrics). Systems based on two-factor authentication require at least one authenticator from each of two different types (two passwords, for example, are not considered two-factor authentication). In the case we have been discussing, the "something you have" isn't your smart card, or your PC, or the hard drive, it is the private key. This is a bit abstract since the private key is really just a string of bits, all ones and zeros. To be useful as an authenticator, the private key must be unique, verifiable, and strictly possessed only by the entity/identity bound with the corresponding public key in the certificate. I'll avoid the PKI 101 discussion here, but note that asymmetric (public key) cryptography differs from shared secrets since the private key IS NOT shared between the two systems, but does allow for verification. The PKI itself must enforce the uniqueness of the private key. And the user is responsible for maintaining strict possession of the private key. So how does the user do this? They store the private key in a safe place. They may store it in a software cryptographic store on their PC harddrive. They may store it on a smart card, or perhaps a USB token. In each case, the user may protect access to the private key with a password. And in each case, the password is only of local significance, assigned by and only known by the user. Is a smart card more secure for storing a private key than a software cryptographic store? Yes, particularly if the card has the ability to generate the private key internally, perform signing and encryption operations, and includes tamper-proof features. Are software cryptography stores insecure? Hardly. The difference is only a matter of degree. Cracking a software cryptography store is non-trivial. Further, it assumes you have access to the PC, which in this case, in effect, acts the same as the token (a secure storage device for the private key). So why wouldn't the VPN solution you describe be considered two-factor authentication? The user needed both a password and a token, so it must be, right? I don't think so, and here is why. From the VPN gateway's perspective, the ONLY authenticator it validates is the private key (digital signature). The gateway DOES NOT know that the user had to (or did) enter a password to access the private key - it never verified that the password was correct - it didn't even KNOW the password. All it knows is that the client implementation had access to a valid private key. That is ALL THE GATEWAY can claim, a single factor, nothing more. Stated a little differently, what do I need to break the security of the system? The private key, and only the private key, the password is irrelevent. That is a single factor authentication solution (albeit a strong one). I would be interested if others on the list, particularly CISSPs, would agree or disagree. A well designed single factor authentication system can be more secure than a poorly designed two-factor system. Two-factor authentication systems normally include username/passwords as one of the two factors, since it is relatively inexpensive to incorporate them. With a proper design, this system can deliver security equivalent to many two-factor systems. But there are a whole host of other issues that must be addressed, the most significant of which is the registration process of binding the identity to the public/private key pair, including verification that the private key is properly stored and protected in a smart card. To fulfill this requirement with high confidence almost always requires face-to-face registration, which is simply impractical for the vast majority of VPN implementations (particularly remote access, by its very nature). My standard disclaimer: The technology is great and wonderful, but even with exceptional design, the weakest link will be the humans in the chain. NO TECHNOLOGY can protect a system without proper POLICIES and PRACTICES, process enforcement, training, monitoring, and auditing. Otherwise, its just a bunch of neat toys and a false sense of security. And briefly, on your other points: * If you are using an IPsec implementation with IKE, then the digital signature exchange is encrypted, not with the cert, but with the key from the DH exchange. * If you are using LDAP and the directory stores user certs, then it is unlikely that the client transmits the certificate with its authentication request, just the distinguished name and signed challenge. * Again, if it is IPsec with IKE, you have two authentication stages, a group authentication and a user authentication. It is unclear from your post exactly how this is accomplished in your implementation. Care to share the implementation you are using? BTW, none of the information in this post is specific to the Cisco 3000. Kent Dallas VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Thu Mar 21 15:33:30 2002 From: safieradam at hotmail.com (Adam Safier) Date: Thu, 21 Mar 2002 15:33:30 -0500 Subject: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms References: <000001c1d0eb$4daeae30$0800a8c0@DALLASDELL2K> Message-ID: Kent, Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated. By those policies the gateway does know what the user had to do. For example, if the certificate is issued to the user at the time they are handed the smart card and they cannot export the private key you know they had to authenticate to access the card. User authentication, user side tools and policy at the time of certificate issance is a key part of a PKI design and what makes smart cards qulify, at least in my mind, as two-factor. That is why Santa Clause could get a free certificate from Verisign when all they used was the email address. Verisign stated clearly that this was weak since all you knew was that the e-mail existed at the time. But it was a way to introduce certificates to the public. You had to pay for more thorough registration processes. Neither solution dealt with two-factor vs. single factor. They really did not address where, how or by which browser the private key and certificate were stored or exported, so it wasn't two-factor. By your definition RSA SecurID ACE systems would also be considered a single factor system. Even though you have a token number and a pin you transmit them together. They always market it as two-factor. I guess I swallowed their line .. 8-) If those don't qualify as two-factor authtication, what would you use as examples of real two-factor authentication in the production world? I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey at this time. Do you by any chance have a link to an iPlanet discussion archive handy? BTW, I like your L2TP slide show. Nice site. Adam ----- Original Message ----- From: "Kent Dallas" To: "'Adam Safier'" ; Sent: Thursday, March 21, 2002 10:15 AM Subject: Two Factor Authentication, was PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms > Adam, > > Allow me to explain my reasoning more clearly. There are three basic types > of authenticators: something you know (PINS, passwords, shared secrets), > something you have (tokens, passport, drivers license), and something you > are (biometrics). Systems based on two-factor authentication require at > least one authenticator from each of two different types (two passwords, for > example, are not considered two-factor authentication). > > In the case we have been discussing, the "something you have" isn't your > smart card, or your PC, or the hard drive, it is the private key. This is a > bit abstract since the private key is really just a string of bits, all ones > and zeros. To be useful as an authenticator, the private key must be > unique, verifiable, and strictly possessed only by the entity/identity bound > with the corresponding public key in the certificate. I'll avoid the PKI > 101 discussion here, but note that asymmetric (public key) cryptography > differs from shared secrets since the private key IS NOT shared between the > two systems, but does allow for verification. The PKI itself must enforce > the uniqueness of the private key. And the user is responsible for > maintaining strict possession of the private key. > > So how does the user do this? They store the private key in a safe place. > They may store it in a software cryptographic store on their PC harddrive. > They may store it on a smart card, or perhaps a USB token. In each case, > the user may protect access to the private key with a password. And in each > case, the password is only of local significance, assigned by and only known > by the user. > > Is a smart card more secure for storing a private key than a software > cryptographic store? Yes, particularly if the card has the ability to > generate the private key internally, perform signing and encryption > operations, and includes tamper-proof features. Are software cryptography > stores insecure? Hardly. The difference is only a matter of degree. > Cracking a software cryptography store is non-trivial. Further, it assumes > you have access to the PC, which in this case, in effect, acts the same as > the token (a secure storage device for the private key). > > So why wouldn't the VPN solution you describe be considered two-factor > authentication? The user needed both a password and a token, so it must be, > right? I don't think so, and here is why. From the VPN gateway's > perspective, the ONLY authenticator it validates is the private key (digital > signature). The gateway DOES NOT know that the user had to (or did) enter a > password to access the private key - it never verified that the password was > correct - it didn't even KNOW the password. All it knows is that the client > implementation had access to a valid private key. That is ALL THE GATEWAY > can claim, a single factor, nothing more. Stated a little differently, what > do I need to break the security of the system? The private key, and only > the private key, the password is irrelevent. That is a single factor > authentication solution (albeit a strong one). I would be interested if > others on the list, particularly CISSPs, would agree or disagree. > > A well designed single factor authentication system can be more secure than > a poorly designed two-factor system. Two-factor authentication systems > normally include username/passwords as one of the two factors, since it is > relatively inexpensive to incorporate them. > > With a proper design, this system can deliver security equivalent to many > two-factor systems. But there are a whole host of other issues that must be > addressed, the most significant of which is the registration process of > binding the identity to the public/private key pair, including verification > that the private key is properly stored and protected in a smart card. To > fulfill this requirement with high confidence almost always requires > face-to-face registration, which is simply impractical for the vast majority > of VPN implementations (particularly remote access, by its very nature). > > My standard disclaimer: The technology is great and wonderful, but even > with exceptional design, the weakest link will be the humans in the chain. > NO TECHNOLOGY can protect a system without proper POLICIES and PRACTICES, > process enforcement, training, monitoring, and auditing. Otherwise, its > just a bunch of neat toys and a false sense of security. > > And briefly, on your other points: > * If you are using an IPsec implementation with IKE, then the digital > signature exchange is encrypted, not with the cert, but with the key from > the DH exchange. > * If you are using LDAP and the directory stores user certs, then it is > unlikely that the client transmits the certificate with its authentication > request, just the distinguished name and signed challenge. > * Again, if it is IPsec with IKE, you have two authentication stages, a > group authentication and a user authentication. It is unclear from your > post exactly how this is accomplished in your implementation. > > Care to share the implementation you are using? > > BTW, none of the information in this post is specific to the Cisco 3000. > > Kent Dallas > > > VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Thu Mar 21 17:40:32 2002 From: kent at dalliesin.com (Kent Dallas) Date: Thu, 21 Mar 2002 17:40:32 -0500 Subject: [vpn] RE: Two Factor Authentication, was PKI authentication with VPN In-Reply-To: Message-ID: <001101c1d129$6a1bddc0$0800a8c0@DALLASDELL2K> Adam, RSA's SecurID is two-factor, since the gateway (with the ACE server architecture) verifies both the one-time password and the PIN. While this may sound like two passwords, the one-time password is established from the token (or soft token, if so implemented). The fact that they are transmitted together is irrelevent. And the fact that it is two-factor doesn't mean that it is more secure than all single factor systems. I don't have alot of experience with CheckPoint VPN-1, but I think beginning with v4.1, they supported "hybrid" authentication, which allows "legacy" authentication mechanisms, such as RADIUS, TACACS+, and SecurID to be combined with (or to replace) either pre-shared keys or digital certificates. Perhaps someone with more experience with VPN1 can confirm or refute. Adding username/password to your implementation would be an example of a two-factor authentication system. The IPsec service I designed for Intelispan (now McLeodUSA) utilized both digital certificates and username/passwords, for another example. And there are plenty of others out there as well. As you may have noticed from slide 20 on the L2TP presentation, we even engineered a two-factor authentication solution with an L2TP compulsory tunnel service (no IPsec). Sun operates an iPlanet forum at . Thanks for checking out the site. On May 14th, I'll be presenting "Authentication Alternatives for Remote Access VPNs" at VPNcon in San Jose. That presentation will be added to my site shortly after the presentation. I'd hope you would have the chance to attend. Regards, Kent Dallas -----Original Message----- From: Adam Safier [mailto:safieradam at hotmail.com] Sent: Thursday, March 21, 2002 3:34 PM To: kdallas at dalliesin.com; vpn at securityfocus.com Subject: Re: Two Factor Authentication, was PKI authentication with VPN - was Cisco VPN 3000 authentication mechanisms Kent, Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated. By those policies the gateway does know what the user had to do. For example, if the certificate is issued to the user at the time they are handed the smart card and they cannot export the private key you know they had to authenticate to access the card. User authentication, user side tools and policy at the time of certificate issance is a key part of a PKI design and what makes smart cards qulify, at least in my mind, as two-factor. That is why Santa Clause could get a free certificate from Verisign when all they used was the email address. Verisign stated clearly that this was weak since all you knew was that the e-mail existed at the time. But it was a way to introduce certificates to the public. You had to pay for more thorough registration processes. Neither solution dealt with two-factor vs. single factor. They really did not address where, how or by which browser the private key and certificate were stored or exported, so it wasn't two-factor. By your definition RSA SecurID ACE systems would also be considered a single factor system. Even though you have a token number and a pin you transmit them together. They always market it as two-factor. I guess I swallowed their line .. 8-) If those don't qualify as two-factor authtication, what would you use as examples of real two-factor authentication in the production world? I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey at this time. Do you by any chance have a link to an iPlanet discussion archive handy? BTW, I like your L2TP slide show. Nice site. Adam VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Thu Mar 21 20:37:42 2002 From: safieradam at hotmail.com (Adam Safier) Date: Thu, 21 Mar 2002 20:37:42 -0500 Subject: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN References: <001101c1d129$6a1bddc0$0800a8c0@DALLASDELL2K> Message-ID: Kent, Seems like an awfully fine distinction. SecureID used to have a numeric key pad card (I don't know if they still do) where you entered you PIN, it generated a number and you entered only the number in the authentication screen on the workstation. That would NOT be two factor by your definition even though it used the ACE server. The more common (and cheaper) token card without a key pad would qualify since you are sending the PIN and the number. The access point gateway only gets one authentication "OK" from the ACE server so I still have problems with this since where do you draw the line? >From my view point, the numeric key pad card and the smart card are still two-factor. You have to have the card and you have to know a password. I think it all comes down to definition. I have not followed the IETF lately to see if they defined it in any way in the "standards". It really does not matter that much in real life. The point is to get strong authentication that can be carried to many processes and applications. For that, the PKI / local password to smart card solution is OK. I like PKI / local bio authentication to smart card better (finger print never leaves the reader) but that is just coming around from the products I know. I'd love to see some opinions from the list but I have the feeling we're the only ones discussing this. I can't make the VPNcon but I hope you have lots of fun. Adam ----- Original Message ----- From: "Kent Dallas" To: "'Adam Safier'" ; Sent: Thursday, March 21, 2002 5:40 PM Subject: RE: Two Factor Authentication, was PKI authentication with VPN > Adam, > > RSA's SecurID is two-factor, since the gateway (with the ACE server > architecture) verifies both the one-time password and the PIN. While this > may sound like two passwords, the one-time password is established from the > token (or soft token, if so implemented). The fact that they are > transmitted together is irrelevent. And the fact that it is two-factor > doesn't mean that it is more secure than all single factor systems. > > I don't have alot of experience with CheckPoint VPN-1, but I think beginning > with v4.1, they supported "hybrid" authentication, which allows "legacy" > authentication mechanisms, such as RADIUS, TACACS+, and SecurID to be > combined with (or to replace) either pre-shared keys or digital > certificates. Perhaps someone with more experience with VPN1 can confirm or > refute. > > Adding username/password to your implementation would be an example of a > two-factor authentication system. The IPsec service I designed for > Intelispan (now McLeodUSA) utilized both digital certificates and > username/passwords, for another example. And there are plenty of others out > there as well. As you may have noticed from slide 20 on the L2TP > presentation, we even engineered a two-factor authentication solution with > an L2TP compulsory tunnel service (no IPsec). > > Sun operates an iPlanet forum at > . > > Thanks for checking out the site. On May 14th, I'll be presenting > "Authentication Alternatives for Remote Access VPNs" at VPNcon > in San Jose. That presentation will be added to my site > shortly after the presentation. I'd hope you would have the chance to > attend. > > Regards, > Kent Dallas > > -----Original Message----- > From: Adam Safier [mailto:safieradam at hotmail.com] > Sent: Thursday, March 21, 2002 3:34 PM > To: kdallas at dalliesin.com; vpn at securityfocus.com > Subject: Re: Two Factor Authentication, was PKI authentication with VPN > - was Cisco VPN 3000 authentication mechanisms > > > Kent, > > Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated. > By those policies the gateway does know what the user had to do. For > example, if the certificate is issued to the user at the time they are > handed the smart card and they cannot export the private key you know they > had to authenticate to access the card. > > User authentication, user side tools and policy at the time of certificate > issance is a key part of a PKI design and what makes smart cards qulify, at > least in my mind, as two-factor. That is why Santa Clause could get a free > certificate from Verisign when all they used was the email address. > Verisign stated clearly that this was weak since all you knew was that the > e-mail existed at the time. But it was a way to introduce certificates to > the public. You had to pay for more thorough registration processes. > Neither solution dealt with two-factor vs. single factor. They really did > not address where, how or by which browser the private key and certificate > were stored or exported, so it wasn't two-factor. > > By your definition RSA SecurID ACE systems would also be considered a single > factor system. Even though you have a token number and a pin you transmit > them together. They always market it as two-factor. I guess I swallowed > their line .. 8-) > > If those don't qualify as two-factor authtication, what would you use as > examples of real two-factor authentication in the production world? > > I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey at > this time. Do you by any chance have a link to an iPlanet discussion > archive handy? > > BTW, I like your L2TP slide show. Nice site. > > Adam > > > VPN is sponsored by SecurityFocus.com From bugtraq at seifried.org Thu Mar 21 21:04:56 2002 From: bugtraq at seifried.org (Kurt Seifried) Date: Thu, 21 Mar 2002 19:04:56 -0700 Subject: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN References: <001101c1d129$6a1bddc0$0800a8c0@DALLASDELL2K> Message-ID: <00ac01c1d145$f6be4da0$6400020a@seifried.org> An important disinction: you need the initial secret and _a_ card, not the specific card that the user just happens to be using today with most secureid/related tokens. Kurt Seifried, kurt at seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.idefense.com/digest.html VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Fri Mar 22 01:06:05 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Fri, 22 Mar 2002 00:06:05 -0600 (CST) Subject: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN In-Reply-To: Message-ID: Okay, okay, I'll chip in my opinion here -- tho' I didn't watch the beginning of the thread as closely as I might have if I'd known I would get dragged in! The SecurID key pad card still qualifies as two factor, because you have to have your PIN (what you know) and the token (what you have), and the server validates that combination. One factor would be being able to log in with just the PIN or just the token. tbird Don't get even -- get odd. Swami Beyondananda Life: http://www.shmoo.com/~tbird Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://vpn.shmoo.com On Thu, 21 Mar 2002, Adam Safier wrote: > Kent, > > Seems like an awfully fine distinction. SecureID used to have a numeric key > pad card (I don't know if they still do) where you entered you PIN, it > generated a number and you entered only the number in the authentication > screen on the workstation. That would NOT be two factor by your definition > even though it used the ACE server. The more common (and cheaper) token > card without a key pad would qualify since you are sending the PIN and the > number. > > The access point gateway only gets one authentication "OK" from the ACE > server so I still have problems with this since where do you draw the line? > >From my view point, the numeric key pad card and the smart card are still > two-factor. You have to have the card and you have to know a password. > > I think it all comes down to definition. I have not followed the IETF > lately to see if they defined it in any way in the "standards". It really > does not matter that much in real life. The point is to get strong > authentication that can be carried to many processes and applications. For > that, the PKI / local password to smart card solution is OK. I like PKI / > local bio authentication to smart card better (finger print never leaves the > reader) but that is just coming around from the products I know. > > I'd love to see some opinions from the list but I have the feeling we're the > only ones discussing this. > > I can't make the VPNcon but I hope you have lots of fun. > > Adam > > > > ----- Original Message ----- > From: "Kent Dallas" > To: "'Adam Safier'" ; > Sent: Thursday, March 21, 2002 5:40 PM > Subject: RE: Two Factor Authentication, was PKI authentication with VPN > > > > Adam, > > > > RSA's SecurID is two-factor, since the gateway (with the ACE server > > architecture) verifies both the one-time password and the PIN. While this > > may sound like two passwords, the one-time password is established from > the > > token (or soft token, if so implemented). The fact that they are > > transmitted together is irrelevent. And the fact that it is two-factor > > doesn't mean that it is more secure than all single factor systems. > > > > I don't have alot of experience with CheckPoint VPN-1, but I think > beginning > > with v4.1, they supported "hybrid" authentication, which allows "legacy" > > authentication mechanisms, such as RADIUS, TACACS+, and SecurID to be > > combined with (or to replace) either pre-shared keys or digital > > certificates. Perhaps someone with more experience with VPN1 can confirm > or > > refute. > > > > Adding username/password to your implementation would be an example of a > > two-factor authentication system. The IPsec service I designed for > > Intelispan (now McLeodUSA) utilized both digital certificates and > > username/passwords, for another example. And there are plenty of others > out > > there as well. As you may have noticed from slide 20 on the L2TP > > presentation, we even engineered a two-factor authentication solution with > > an L2TP compulsory tunnel service (no IPsec). > > > > Sun operates an iPlanet forum at > > . > > > > Thanks for checking out the site. On May 14th, I'll be presenting > > "Authentication Alternatives for Remote Access VPNs" at VPNcon > > in San Jose. That presentation will be added to my site > > shortly after the presentation. I'd hope you would have the chance to > > attend. > > > > Regards, > > Kent Dallas > > > > -----Original Message----- > > From: Adam Safier [mailto:safieradam at hotmail.com] > > Sent: Thursday, March 21, 2002 3:34 PM > > To: kdallas at dalliesin.com; vpn at securityfocus.com > > Subject: Re: Two Factor Authentication, was PKI authentication with VPN > > - was Cisco VPN 3000 authentication mechanisms > > > > > > Kent, > > > > Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated. > > By those policies the gateway does know what the user had to do. For > > example, if the certificate is issued to the user at the time they are > > handed the smart card and they cannot export the private key you know they > > had to authenticate to access the card. > > > > User authentication, user side tools and policy at the time of certificate > > issance is a key part of a PKI design and what makes smart cards qulify, > at > > least in my mind, as two-factor. That is why Santa Clause could get a > free > > certificate from Verisign when all they used was the email address. > > Verisign stated clearly that this was weak since all you knew was that the > > e-mail existed at the time. But it was a way to introduce certificates to > > the public. You had to pay for more thorough registration processes. > > Neither solution dealt with two-factor vs. single factor. They really did > > not address where, how or by which browser the private key and certificate > > were stored or exported, so it wasn't two-factor. > > > > By your definition RSA SecurID ACE systems would also be considered a > single > > factor system. Even though you have a token number and a pin you transmit > > them together. They always market it as two-factor. I guess I swallowed > > their line .. 8-) > > > > If those don't qualify as two-factor authtication, what would you use as > > examples of real two-factor authentication in the production world? > > > > I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey > at > > this time. Do you by any chance have a link to an iPlanet discussion > > archive handy? > > > > BTW, I like your L2TP slide show. Nice site. > > > > Adam > > > > > > > > VPN is sponsored by SecurityFocus.com > VPN is sponsored by SecurityFocus.com From kent at dalliesin.com Fri Mar 22 08:22:04 2002 From: kent at dalliesin.com (Kent Dallas) Date: Fri, 22 Mar 2002 08:22:04 -0500 Subject: [vpn] RE: Two Factor Authentication, was PKI authentication with VPN In-Reply-To: Message-ID: <000001c1d1a4$8fef4930$0300a8c0@DALLASDELL2K> >Adam Safier wrote: >Seems like an awfully fine distinction. Not really. As I mentioned, and you clarified, if your policy requires face-to-face registration for public key certification, if you use top-of-the-line tokens, if you establish appropriate password/pass phrase requirements, then the distinction becomes moot. But that's alot of ifs. >I think it all comes down to definition. Agreed. And I don't claim any "standard". >It really >does not matter that much in real life. The point is to get strong >authentication that can be carried to many processes and applications. For >that, the PKI / local password to smart card solution is OK. If you really even need that, it all depends on what you are trying to protect. >I like PKI / >local bio authentication to smart card better (finger print never leaves the >reader) but that is just coming around from the products I know. Personally, I like passwords (or better, pass phrases). They are cheap, and properly implemented, they can be quite strong. The expense of biometric readers for remote access VPNs are normally prohibitive. Even PKI can be overkill for many enterprise VPN implementations. Strong user passwords and strong group pre-shared secrets are sufficient for many applications. I walked into an enterprise customer using SecurID, as the security manager brags about the strength of the two-factor authentication solution. While walking to the conference room, we passed a cube where the worker was away, and their SecurID token was TAPED to the monitor. I asked him about it, and he talked about how someone would still need their PIN. I asked him to lift the keyboard, he did, and there was a post-it note with a four digit number. I just smiled - he looked a bit frazzled. Was it the SecurID PIN? I don't know. But I would bet money. In the meeting, he did describe some of the costs they faced with their "strong authentication" solution. Mostly, it was related to administration and lost productivity, due to workers leaving or losing their tokens. Bottom line: Strong authentication is expensive. Tokens are expensive. Readers are expensive. Administration is expensive. PKI is expensive. And VPNs are supposed to save money. The right solution must balance all of these conflicting objectives based on actual needs, not just technology that is cool. Biometrics are cool. And I've only run into one application in my many years that could actually justify their cost (and in a very limited manner, at that). And that reminds me of another meeting, a number of years back, when the CEO of this fast growing company excused himself to take a phone call. He had just explained how information security was critical to his enterprise, and his interest in using encryption and strong authentication on his network. He later explained that the phone call was regarding a potential acquisition. The kicker? He took the call on his analog cellphone. Regards, Kent Dallas VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Fri Mar 22 23:26:40 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Sat, 23 Mar 2002 04:26:40 +0000 (GMT) Subject: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN In-Reply-To: Message-ID: <20020323042640.97977.qmail@web12705.mail.yahoo.com> No, you guys are not alone. I have been following the whole discussion with a lot of interest. But since i am a novive, i don't have much to add. >From a abstract view, i agree to Kent's definition of two factor authentication where its the VPN box which must be provided two passports (passwords or certificates or pins) for authentication. Siddhartha --- Adam Safier wrote: > Kent, > > Seems like an awfully fine distinction. SecureID > used to have a numeric key > pad card (I don't know if they still do) where you > entered you PIN, it > generated a number and you entered only the number > in the authentication > screen on the workstation. That would NOT be two > factor by your definition > even though it used the ACE server. The more common > (and cheaper) token > card without a key pad would qualify since you are > sending the PIN and the > number. > > The access point gateway only gets one > authentication "OK" from the ACE > server so I still have problems with this since > where do you draw the line? > From my view point, the numeric key pad card and the > smart card are still > two-factor. You have to have the card and you have > to know a password. > > I think it all comes down to definition. I have not > followed the IETF > lately to see if they defined it in any way in the > "standards". It really > does not matter that much in real life. The point is > to get strong > authentication that can be carried to many processes > and applications. For > that, the PKI / local password to smart card > solution is OK. I like PKI / > local bio authentication to smart card better > (finger print never leaves the > reader) but that is just coming around from the > products I know. > > I'd love to see some opinions from the list but I > have the feeling we're the > only ones discussing this. > > I can't make the VPNcon but I hope you have lots of > fun. > > Adam > > > > ----- Original Message ----- > From: "Kent Dallas" > To: "'Adam Safier'" ; > > Sent: Thursday, March 21, 2002 5:40 PM > Subject: RE: Two Factor Authentication, was PKI > authentication with VPN > > > > Adam, > > > > RSA's SecurID is two-factor, since the gateway > (with the ACE server > > architecture) verifies both the one-time password > and the PIN. While this > > may sound like two passwords, the one-time > password is established from > the > > token (or soft token, if so implemented). The > fact that they are > > transmitted together is irrelevent. And the fact > that it is two-factor > > doesn't mean that it is more secure than all > single factor systems. > > > > I don't have alot of experience with CheckPoint > VPN-1, but I think > beginning > > with v4.1, they supported "hybrid" authentication, > which allows "legacy" > > authentication mechanisms, such as RADIUS, > TACACS+, and SecurID to be > > combined with (or to replace) either pre-shared > keys or digital > > certificates. Perhaps someone with more > experience with VPN1 can confirm > or > > refute. > > > > Adding username/password to your implementation > would be an example of a > > two-factor authentication system. The IPsec > service I designed for > > Intelispan (now McLeodUSA) utilized both digital > certificates and > > username/passwords, for another example. And > there are plenty of others > out > > there as well. As you may have noticed from slide > 20 on the L2TP > > presentation, we even engineered a two-factor > authentication solution with > > an L2TP compulsory tunnel service (no IPsec). > > > > Sun operates an iPlanet forum at > > > . > > > > Thanks for checking out the site. On May 14th, > I'll be presenting > > "Authentication Alternatives for Remote Access > VPNs" at VPNcon > > in San Jose. That presentation > will be added to my site > > shortly after the presentation. I'd hope you would > have the chance to > > attend. > > > > Regards, > > Kent Dallas > > > > -----Original Message----- > > From: Adam Safier [mailto:safieradam at hotmail.com] > > Sent: Thursday, March 21, 2002 3:34 PM > > To: kdallas at dalliesin.com; vpn at securityfocus.com > > Subject: Re: Two Factor Authentication, was PKI > authentication with VPN > > - was Cisco VPN 3000 authentication mechanisms > > > > > > Kent, > > > > Proper POLICIES and PRACTICES etc are absolutely > necessary, as you stated. > > By those policies the gateway does know what the > user had to do. For > > example, if the certificate is issued to the user > at the time they are > > handed the smart card and they cannot export the > private key you know they > > had to authenticate to access the card. > > > > User authentication, user side tools and policy at > the time of certificate > > issance is a key part of a PKI design and what > makes smart cards qulify, > at > > least in my mind, as two-factor. That is why > Santa Clause could get a > free > > certificate from Verisign when all they used was > the email address. > > Verisign stated clearly that this was weak since > all you knew was that the > > e-mail existed at the time. But it was a way to > introduce certificates to > > the public. You had to pay for more thorough > registration processes. > > Neither solution dealt with two-factor vs. single > factor. They really did > > not address where, how or by which browser the > private key and certificate > > were stored or exported, so it wasn't two-factor. > > > > By your definition RSA SecurID ACE systems would > also be considered a > single > > factor system. Even though you have a token number > and a pin you transmit > > them together. They always market it as > two-factor. I guess I swallowed > > their line .. 8-) > > > > If those don't qualify as two-factor authtication, > what would you use as > > examples of real two-factor authentication in the > production world? > > > > I'm working with Check Point VPN, iPlanet > Certificate Manager and Datakey > at > > this time. Do you by any chance have a link to an > iPlanet discussion > > archive handy? > > > > BTW, I like your L2TP slide show. Nice site. > > > > Adam > > > > > > > > VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Sun Mar 24 21:36:12 2002 From: safieradam at hotmail.com (Adam Safier) Date: Sun, 24 Mar 2002 21:36:12 -0500 Subject: [vpn] Re: Two Factor Authentication, was PKI authentication withVPN References: Message-ID: Tina, At one point we were discussing a private key on a smart card and whether that qualified as two-factor. The password to get at the key is not transmitted to the server but is necessary to access the private key on the card, like the secureID key pad card. Ken's definition requires the password/PIN to be transmitted to the server along with the signed authentication, sort of like the SecureID fob PIN+number. I think that in the long run it only matters when you're dealing with contracts and lawyers. Adam ----- Original Message ----- From: "Tina Bird" To: "Adam Safier" Cc: ; Sent: Friday, March 22, 2002 1:06 AM Subject: Re: [vpn] Re: Two Factor Authentication, was PKI authentication withVPN > Okay, okay, I'll chip in my opinion here -- tho' I > didn't watch the beginning of the thread as closely > as I might have if I'd known I would get dragged in! > > The SecurID key pad card still qualifies as two > factor, because you have to have your PIN (what you > know) and the token (what you have), and the server > validates that combination. One factor would be > being able to log in with just the PIN or just > the token. > > tbird > > Don't get even -- get odd. > Swami Beyondananda > > Life: http://www.shmoo.com/~tbird > Log Analysis: http://www.counterpane.com/log-analysis.html > VPN: http://vpn.shmoo.com > > > On Thu, 21 Mar 2002, Adam Safier wrote: > > > Kent, > > > > Seems like an awfully fine distinction. SecureID used to have a numeric key > > pad card (I don't know if they still do) where you entered you PIN, it > > generated a number and you entered only the number in the authentication > > screen on the workstation. That would NOT be two factor by your definition > > even though it used the ACE server. The more common (and cheaper) token > > card without a key pad would qualify since you are sending the PIN and the > > number. > > > > The access point gateway only gets one authentication "OK" from the ACE > > server so I still have problems with this since where do you draw the line? > > >From my view point, the numeric key pad card and the smart card are still > > two-factor. You have to have the card and you have to know a password. > > > > I think it all comes down to definition. I have not followed the IETF > > lately to see if they defined it in any way in the "standards". It really > > does not matter that much in real life. The point is to get strong > > authentication that can be carried to many processes and applications. For > > that, the PKI / local password to smart card solution is OK. I like PKI / > > local bio authentication to smart card better (finger print never leaves the > > reader) but that is just coming around from the products I know. > > > > I'd love to see some opinions from the list but I have the feeling we're the > > only ones discussing this. > > > > I can't make the VPNcon but I hope you have lots of fun. > > > > Adam > > > > > > > > ----- Original Message ----- > > From: "Kent Dallas" > > To: "'Adam Safier'" ; > > Sent: Thursday, March 21, 2002 5:40 PM > > Subject: RE: Two Factor Authentication, was PKI authentication with VPN > > > > > > > Adam, > > > > > > RSA's SecurID is two-factor, since the gateway (with the ACE server > > > architecture) verifies both the one-time password and the PIN. While this > > > may sound like two passwords, the one-time password is established from > > the > > > token (or soft token, if so implemented). The fact that they are > > > transmitted together is irrelevent. And the fact that it is two-factor > > > doesn't mean that it is more secure than all single factor systems. > > > > > > I don't have alot of experience with CheckPoint VPN-1, but I think > > beginning > > > with v4.1, they supported "hybrid" authentication, which allows "legacy" > > > authentication mechanisms, such as RADIUS, TACACS+, and SecurID to be > > > combined with (or to replace) either pre-shared keys or digital > > > certificates. Perhaps someone with more experience with VPN1 can confirm > > or > > > refute. > > > > > > Adding username/password to your implementation would be an example of a > > > two-factor authentication system. The IPsec service I designed for > > > Intelispan (now McLeodUSA) utilized both digital certificates and > > > username/passwords, for another example. And there are plenty of others > > out > > > there as well. As you may have noticed from slide 20 on the L2TP > > > presentation, we even engineered a two-factor authentication solution with > > > an L2TP compulsory tunnel service (no IPsec). > > > > > > Sun operates an iPlanet forum at > > > . > > > > > > Thanks for checking out the site. On May 14th, I'll be presenting > > > "Authentication Alternatives for Remote Access VPNs" at VPNcon > > > in San Jose. That presentation will be added to my site > > > shortly after the presentation. I'd hope you would have the chance to > > > attend. > > > > > > Regards, > > > Kent Dallas > > > > > > -----Original Message----- > > > From: Adam Safier [mailto:safieradam at hotmail.com] > > > Sent: Thursday, March 21, 2002 3:34 PM > > > To: kdallas at dalliesin.com; vpn at securityfocus.com > > > Subject: Re: Two Factor Authentication, was PKI authentication with VPN > > > - was Cisco VPN 3000 authentication mechanisms > > > > > > > > > Kent, > > > > > > Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated. > > > By those policies the gateway does know what the user had to do. For > > > example, if the certificate is issued to the user at the time they are > > > handed the smart card and they cannot export the private key you know they > > > had to authenticate to access the card. > > > > > > User authentication, user side tools and policy at the time of certificate > > > issance is a key part of a PKI design and what makes smart cards qulify, > > at > > > least in my mind, as two-factor. That is why Santa Clause could get a > > free > > > certificate from Verisign when all they used was the email address. > > > Verisign stated clearly that this was weak since all you knew was that the > > > e-mail existed at the time. But it was a way to introduce certificates to > > > the public. You had to pay for more thorough registration processes. > > > Neither solution dealt with two-factor vs. single factor. They really did > > > not address where, how or by which browser the private key and certificate > > > were stored or exported, so it wasn't two-factor. > > > > > > By your definition RSA SecurID ACE systems would also be considered a > > single > > > factor system. Even though you have a token number and a pin you transmit > > > them together. They always market it as two-factor. I guess I swallowed > > > their line .. 8-) > > > > > > If those don't qualify as two-factor authtication, what would you use as > > > examples of real two-factor authentication in the production world? > > > > > > I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey > > at > > > this time. Do you by any chance have a link to an iPlanet discussion > > > archive handy? > > > > > > BTW, I like your L2TP slide show. Nice site. > > > > > > Adam > > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From Andrew.Ford at hudson-shribman.co.uk Mon Mar 25 03:28:55 2002 From: Andrew.Ford at hudson-shribman.co.uk (Andrew Ford) Date: Mon, 25 Mar 2002 08:28:55 -0000 Subject: [vpn] Re: Two Factor Authentication, was PKI authentication w ithVPN Message-ID: Tina, At one point we were discussing a private key on a smart card and whether that qualified as two-factor. The password to get at the key is not transmitted to the server but is necessary to access the private key on the card, like the secureID key pad card. Ken's definition requires the password/PIN to be transmitted to the server along with the signed authentication, sort of like the SecureID fob PIN+number. I think that in the long run it only matters when you're dealing with contracts and lawyers. Adam ----- Original Message ----- From: "Tina Bird" To: "Adam Safier" Cc: ; Sent: Friday, March 22, 2002 1:06 AM Subject: Re: [vpn] Re: Two Factor Authentication, was PKI authentication withVPN > Okay, okay, I'll chip in my opinion here -- tho' I > didn't watch the beginning of the thread as closely > as I might have if I'd known I would get dragged in! > > The SecurID key pad card still qualifies as two > factor, because you have to have your PIN (what you > know) and the token (what you have), and the server > validates that combination. One factor would be > being able to log in with just the PIN or just > the token. > > tbird > > Don't get even -- get odd. > Swami Beyondananda > > Life: http://www.shmoo.com/~tbird > Log Analysis: http://www.counterpane.com/log-analysis.html > VPN: http://vpn.shmoo.com > > > On Thu, 21 Mar 2002, Adam Safier wrote: > > > Kent, > > > > Seems like an awfully fine distinction. SecureID used to have a numeric key > > pad card (I don't know if they still do) where you entered you PIN, it > > generated a number and you entered only the number in the authentication > > screen on the workstation. That would NOT be two factor by your definition > > even though it used the ACE server. The more common (and cheaper) token > > card without a key pad would qualify since you are sending the PIN and the > > number. > > > > The access point gateway only gets one authentication "OK" from the ACE > > server so I still have problems with this since where do you draw the line? > > >From my view point, the numeric key pad card and the smart card are still > > two-factor. You have to have the card and you have to know a password. > > > > I think it all comes down to definition. I have not followed the IETF > > lately to see if they defined it in any way in the "standards". It really > > does not matter that much in real life. The point is to get strong > > authentication that can be carried to many processes and applications. For > > that, the PKI / local password to smart card solution is OK. I like PKI / > > local bio authentication to smart card better (finger print never leaves the > > reader) but that is just coming around from the products I know. > > > > I'd love to see some opinions from the list but I have the feeling we're the > > only ones discussing this. > > > > I can't make the VPNcon but I hope you have lots of fun. > > > > Adam > > > > > > > > ----- Original Message ----- > > From: "Kent Dallas" > > To: "'Adam Safier'" ; > > Sent: Thursday, March 21, 2002 5:40 PM > > Subject: RE: Two Factor Authentication, was PKI authentication with VPN > > > > > > > Adam, > > > > > > RSA's SecurID is two-factor, since the gateway (with the ACE server > > > architecture) verifies both the one-time password and the PIN. While this > > > may sound like two passwords, the one-time password is established from > > the > > > token (or soft token, if so implemented). The fact that they are > > > transmitted together is irrelevent. And the fact that it is two-factor > > > doesn't mean that it is more secure than all single factor systems. > > > > > > I don't have alot of experience with CheckPoint VPN-1, but I think > > beginning > > > with v4.1, they supported "hybrid" authentication, which allows "legacy" > > > authentication mechanisms, such as RADIUS, TACACS+, and SecurID to be > > > combined with (or to replace) either pre-shared keys or digital > > > certificates. Perhaps someone with more experience with VPN1 can confirm > > or > > > refute. > > > > > > Adding username/password to your implementation would be an example of a > > > two-factor authentication system. The IPsec service I designed for > > > Intelispan (now McLeodUSA) utilized both digital certificates and > > > username/passwords, for another example. And there are plenty of others > > out > > > there as well. As you may have noticed from slide 20 on the L2TP > > > presentation, we even engineered a two-factor authentication solution with > > > an L2TP compulsory tunnel service (no IPsec). > > > > > > Sun operates an iPlanet forum at > > > . > > > > > > Thanks for checking out the site. On May 14th, I'll be presenting > > > "Authentication Alternatives for Remote Access VPNs" at VPNcon > > > in San Jose. That presentation will be added to my site > > > shortly after the presentation. I'd hope you would have the chance to > > > attend. > > > > > > Regards, > > > Kent Dallas > > > > > > -----Original Message----- > > > From: Adam Safier [mailto:safieradam at hotmail.com] > > > Sent: Thursday, March 21, 2002 3:34 PM > > > To: kdallas at dalliesin.com; vpn at securityfocus.com > > > Subject: Re: Two Factor Authentication, was PKI authentication with VPN > > > - was Cisco VPN 3000 authentication mechanisms > > > > > > > > > Kent, > > > > > > Proper POLICIES and PRACTICES etc are absolutely necessary, as you stated. > > > By those policies the gateway does know what the user had to do. For > > > example, if the certificate is issued to the user at the time they are > > > handed the smart card and they cannot export the private key you know they > > > had to authenticate to access the card. > > > > > > User authentication, user side tools and policy at the time of certificate > > > issance is a key part of a PKI design and what makes smart cards qulify, > > at > > > least in my mind, as two-factor. That is why Santa Clause could get a > > free > > > certificate from Verisign when all they used was the email address. > > > Verisign stated clearly that this was weak since all you knew was that the > > > e-mail existed at the time. But it was a way to introduce certificates to > > > the public. You had to pay for more thorough registration processes. > > > Neither solution dealt with two-factor vs. single factor. They really did > > > not address where, how or by which browser the private key and certificate > > > were stored or exported, so it wasn't two-factor. > > > > > > By your definition RSA SecurID ACE systems would also be considered a > > single > > > factor system. Even though you have a token number and a pin you transmit > > > them together. They always market it as two-factor. I guess I swallowed > > > their line .. 8-) > > > > > > If those don't qualify as two-factor authtication, what would you use as > > > examples of real two-factor authentication in the production world? > > > > > > I'm working with Check Point VPN, iPlanet Certificate Manager and Datakey > > at > > > this time. Do you by any chance have a link to an iPlanet discussion > > > archive handy? > > > > > > BTW, I like your L2TP slide show. Nice site. > > > > > > Adam > > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From safiera at gss-inc.com Mon Mar 25 11:21:43 2002 From: safiera at gss-inc.com (Safier) Date: Mon, 25 Mar 2002 11:21:43 -0500 Subject: [vpn] RE: Two Factor Authentication, was PKI authentication with VPN In-Reply-To: <000001c1d1a4$8fef4930$0300a8c0@DALLASDELL2K> Message-ID: I agree that passwords are fine for many things and you need a Risk Assessment to decide on your authentication requirements and price boundry. You also need an enforced policy for any system to be effective. No matter what your policy or system someone will screw it up, even professionals. I had the same SecurID situation happen, despite the user guide saying NOT to do this and the person being a router engineer who should have been aware of security issues. And of course smart cards get left in the readers. Same thing can happen with just about anything, which is why I'm becoming a fan of bioauthentication and in particular finger print scanning. Kind of hard to leave your living finger laying around without you being there. (The newer systems do check that your finger is alive - no mafia legend stuff.) BTW, the price of stronger authentication is dropping. The MSFT CA can be had for the cost of the operating system, though it feels a bit clunky to me. The iPlanet CA is also priced very reasonably and includes basic registration web pages. Hardware prices are also dropping fast and I predict that within 5 years fingerprint scanners and smart card readers will be built into our keyboards or mice and stand alone card/finger readers will cost under $20. Adam -----Original Message----- From: Kent Dallas [mailto:kent at dalliesin.com] Sent: Friday, March 22, 2002 8:22 AM To: 'Adam Safier'; vpn at securityfocus.com Subject: RE: Two Factor Authentication, was PKI authentication with VPN >Adam Safier wrote: >Seems like an awfully fine distinction. Not really. As I mentioned, and you clarified, if your policy requires face-to-face registration for public key certification, if you use top-of-the-line tokens, if you establish appropriate password/pass phrase requirements, then the distinction becomes moot. But that's alot of ifs. >I think it all comes down to definition. Agreed. And I don't claim any "standard". >It really >does not matter that much in real life. The point is to get strong >authentication that can be carried to many processes and applications. For >that, the PKI / local password to smart card solution is OK. If you really even need that, it all depends on what you are trying to protect. >I like PKI / >local bio authentication to smart card better (finger print never leaves the >reader) but that is just coming around from the products I know. Personally, I like passwords (or better, pass phrases). They are cheap, and properly implemented, they can be quite strong. The expense of biometric readers for remote access VPNs are normally prohibitive. Even PKI can be overkill for many enterprise VPN implementations. Strong user passwords and strong group pre-shared secrets are sufficient for many applications. I walked into an enterprise customer using SecurID, as the security manager brags about the strength of the two-factor authentication solution. While walking to the conference room, we passed a cube where the worker was away, and their SecurID token was TAPED to the monitor. I asked him about it, and he talked about how someone would still need their PIN. I asked him to lift the keyboard, he did, and there was a post-it note with a four digit number. I just smiled - he looked a bit frazzled. Was it the SecurID PIN? I don't know. But I would bet money. In the meeting, he did describe some of the costs they faced with their "strong authentication" solution. Mostly, it was related to administration and lost productivity, due to workers leaving or losing their tokens. Bottom line: Strong authentication is expensive. Tokens are expensive. Readers are expensive. Administration is expensive. PKI is expensive. And VPNs are supposed to save money. The right solution must balance all of these conflicting objectives based on actual needs, not just technology that is cool. Biometrics are cool. And I've only run into one application in my many years that could actually justify their cost (and in a very limited manner, at that). And that reminds me of another meeting, a number of years back, when the CEO of this fast growing company excused himself to take a phone call. He had just explained how information security was critical to his enterprise, and his interest in using encryption and strong authentication on his network. He later explained that the phone call was regarding a potential acquisition. The kicker? He took the call on his analog cellphone. Regards, Kent Dallas VPN is sponsored by SecurityFocus.com From safieradam at hotmail.com Mon Mar 25 17:25:41 2002 From: safieradam at hotmail.com (Adam Safier) Date: Mon, 25 Mar 2002 17:25:41 -0500 Subject: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN References: <20020323042640.97977.qmail@web12705.mail.yahoo.com> Message-ID: Since this was sent directly to me I will respect the senders privacy and not give him credit, but this does drive Kent's point home. "bruce Schneier has gone on about this at length on his column and web site. one thing he mentions that does seem pertinent - if the password dictates access to the token, then if someone has access to the token they can use password cracking techniques to resolve that, and you dont have "2 factor", you have "1 factor and an access password"." I think we are agreed that this can be more secure than two-factor but I see the difference in logic for the terminology. Besides RSA SecurID non-keypad cards and very similar token systems, what other two factor authentication products are out there? My original view of the Universe has shrunk a bit but I feel a little wiser. Thanks for all the effort to explain this. Adam ----- Original Message ----- From: "Siddhartha Jain" To: Sent: Friday, March 22, 2002 11:26 PM Subject: Re: [vpn] Re: Two Factor Authentication, was PKI authentication with VPN > No, you guys are not alone. I have been following the > whole discussion with a lot of interest. But since i > am a novive, i don't have much to add. > > From a abstract view, i agree to Kent's definition of > two factor authentication where its the VPN box which > must be provided two passports (passwords or > certificates or pins) for authentication. > > Siddhartha > > --- Adam Safier wrote: > > Kent, > > > > Seems like an awfully fine distinction. SecureID > > used to have a numeric key > > pad card (I don't know if they still do) where you > > entered you PIN, it > > generated a number and you entered only the number > > in the authentication > > screen on the workstation. That would NOT be two > > factor by your definition > > even though it used the ACE server. The more common > > (and cheaper) token > > card without a key pad would qualify since you are > > sending the PIN and the > > number. > > > > The access point gateway only gets one > > authentication "OK" from the ACE > > server so I still have problems with this since > > where do you draw the line? > > From my view point, the numeric key pad card and the > > smart card are still > > two-factor. You have to have the card and you have > > to know a password. > > > > I think it all comes down to definition. I have not > > followed the IETF > > lately to see if they defined it in any way in the > > "standards". It really > > does not matter that much in real life. The point is > > to get strong > > authentication that can be carried to many processes > > and applications. For > > that, the PKI / local password to smart card > > solution is OK. I like PKI / > > local bio authentication to smart card better > > (finger print never leaves the > > reader) but that is just coming around from the > > products I know. > > > > I'd love to see some opinions from the list but I > > have the feeling we're the > > only ones discussing this. > > > > I can't make the VPNcon but I hope you have lots of > > fun. > > > > Adam > > > > > > > > ----- Original Message ----- > > From: "Kent Dallas" > > To: "'Adam Safier'" ; > > > > Sent: Thursday, March 21, 2002 5:40 PM > > Subject: RE: Two Factor Authentication, was PKI > > authentication with VPN > > > > > > > Adam, > > > > > > RSA's SecurID is two-factor, since the gateway > > (with the ACE server > > > architecture) verifies both the one-time password > > and the PIN. While this > > > may sound like two passwords, the one-time > > password is established from > > the > > > token (or soft token, if so implemented). The > > fact that they are > > > transmitted together is irrelevent. And the fact > > that it is two-factor > > > doesn't mean that it is more secure than all > > single factor systems. > > > > > > I don't have alot of experience with CheckPoint > > VPN-1, but I think > > beginning > > > with v4.1, they supported "hybrid" authentication, > > which allows "legacy" > > > authentication mechanisms, such as RADIUS, > > TACACS+, and SecurID to be > > > combined with (or to replace) either pre-shared > > keys or digital > > > certificates. Perhaps someone with more > > experience with VPN1 can confirm > > or > > > refute. > > > > > > Adding username/password to your implementation > > would be an example of a > > > two-factor authentication system. The IPsec > > service I designed for > > > Intelispan (now McLeodUSA) utilized both digital > > certificates and > > > username/passwords, for another example. And > > there are plenty of others > > out > > > there as well. As you may have noticed from slide > > 20 on the L2TP > > > presentation, we even engineered a two-factor > > authentication solution with > > > an L2TP compulsory tunnel service (no IPsec). > > > > > > Sun operates an iPlanet forum at > > > > > > . > > > > > > Thanks for checking out the site. On May 14th, > > I'll be presenting > > > "Authentication Alternatives for Remote Access > > VPNs" at VPNcon > > > in San Jose. That presentation > > will be added to my site > > > shortly after the presentation. I'd hope you would > > have the chance to > > > attend. > > > > > > Regards, > > > Kent Dallas > > > > > > -----Original Message----- > > > From: Adam Safier [mailto:safieradam at hotmail.com] > > > Sent: Thursday, March 21, 2002 3:34 PM > > > To: kdallas at dalliesin.com; vpn at securityfocus.com > > > Subject: Re: Two Factor Authentication, was PKI > > authentication with VPN > > > - was Cisco VPN 3000 authentication mechanisms > > > > > > > > > Kent, > > > > > > Proper POLICIES and PRACTICES etc are absolutely > > necessary, as you stated. > > > By those policies the gateway does know what the > > user had to do. For > > > example, if the certificate is issued to the user > > at the time they are > > > handed the smart card and they cannot export the > > private key you know they > > > had to authenticate to access the card. > > > > > > User authentication, user side tools and policy at > > the time of certificate > > > issance is a key part of a PKI design and what > > makes smart cards qulify, > > at > > > least in my mind, as two-factor. That is why > > Santa Clause could get a > > free > > > certificate from Verisign when all they used was > > the email address. > > > Verisign stated clearly that this was weak since > > all you knew was that the > > > e-mail existed at the time. But it was a way to > > introduce certificates to > > > the public. You had to pay for more thorough > > registration processes. > > > Neither solution dealt with two-factor vs. single > > factor. They really did > > > not address where, how or by which browser the > > private key and certificate > > > were stored or exported, so it wasn't two-factor. > > > > > > By your definition RSA SecurID ACE systems would > > also be considered a > > single > > > factor system. Even though you have a token number > > and a pin you transmit > > > them together. They always market it as > > two-factor. I guess I swallowed > > > their line .. 8-) > > > > > > If those don't qualify as two-factor authtication, > > what would you use as > > > examples of real two-factor authentication in the > > production world? > > > > > > I'm working with Check Point VPN, iPlanet > > Certificate Manager and Datakey > > at > > > this time. Do you by any chance have a link to an > > iPlanet discussion > > > archive handy? > > > > > > BTW, I like your L2TP slide show. Nice site. > > > > > > Adam > > > > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From tbird at precision-guesswork.com Mon Mar 25 19:13:02 2002 From: tbird at precision-guesswork.com (Tina Bird) Date: Mon, 25 Mar 2002 18:13:02 -0600 (CST) Subject: [vpn] IPsec filters on win2k Message-ID: SecurityFocus just published the first part of a two-part series on using IPsec filters to secure Win2k communications. I haven't read it, but their articles are usually quite good. http://online.securityfocus.com/infocus/1559 tbird Don't get even -- get odd. Swami Beyondananda Life: http://www.shmoo.com/~tbird Log Analysis: http://www.counterpane.com/log-analysis.html VPN: http://vpn.shmoo.com VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Tue Mar 26 18:46:14 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Tue, 26 Mar 2002 15:46:14 -0800 Subject: [vpn] metrics for vpn sessions Message-ID: Greetings, I've been asked the following question: What metrics are companies using when the say "1,000 concurrent VPN tunnels?" This spawned some of my own questions: Is the number of concurrent tunnels possible limited by bandwidth to the VPN server rather than some algorithmic restriction? Are VPN companies arbitrarily restricting the number of tunnels so that they can sell upgraded versions when people need to allow more users onto their VPN network? Any help? tia, Phil Phil McGarr VPN Labs http://www.vpnlabs.org/ VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Mar 26 19:19:51 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 26 Mar 2002 16:19:51 -0800 Subject: [vpn] metrics for vpn sessions Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4C56@guam.corp.axcelerant.com> The number of tunnels isn't necessarily limited by the bandwidth. However, as with ANY network service, bandwidth is going to impact the performance of those services. Yes. Some VPN companies limit the # of tunnels, although I wouldn't necessarily say arbitrarily, so they can sell upgraded versions. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Phil McGarr [mailto:phil at vpnlabs.org] > Sent: Tuesday, March 26, 2002 3:46 PM > To: vpn at securityfocus.com > Subject: [vpn] metrics for vpn sessions > > > Greetings, > > I've been asked the following question: > What metrics are companies using when the say "1,000 concurrent VPN > tunnels?" > > This spawned some of my own questions: > Is the number of concurrent tunnels possible limited by > bandwidth to the VPN > server rather than some algorithmic restriction? > Are VPN companies arbitrarily restricting the number of > tunnels so that they > can sell upgraded versions when people need to allow more > users onto their > VPN network? > > Any help? > > tia, > > Phil > > Phil McGarr > VPN Labs > http://www.vpnlabs.org/ > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From sandy at storm.ca Tue Mar 26 22:15:55 2002 From: sandy at storm.ca (Sandy Harris) Date: Tue, 26 Mar 2002 19:15:55 -0800 Subject: [vpn] metrics for vpn sessions References: Message-ID: <3CA1396B.5E36AAE6@storm.ca> Phil McGarr wrote: > > Greetings, > > I've been asked the following question: > What metrics are companies using when the say "1,000 concurrent VPN > tunnels?" > > This spawned some of my own questions: > Is the number of concurrent tunnels possible limited by bandwidth to the VPN > server rather than some algorithmic restriction? > Are VPN companies arbitrarily restricting the number of tunnels so that they > can sell upgraded versions when people need to allow more users onto their > VPN network? > I'm not sure it'll be much help, but there's some related info and a bunch of links at: http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/performance.html Ask off-list and I can send you a more current version. The only important change is a link to some user benchmarks indicating that replacing 3DES with AES roughly doubles IPsec throughput. These are preliminary results; we don't yet have enough data to be precise or confident about this. VPN is sponsored by SecurityFocus.com From ryan at securityfocus.com Tue Mar 26 19:23:32 2002 From: ryan at securityfocus.com (Ryan Russell) Date: Tue, 26 Mar 2002 17:23:32 -0700 (MST) Subject: [vpn] metrics for vpn sessions In-Reply-To: Message-ID: On Tue, 26 Mar 2002, Phil McGarr wrote: > Is the number of concurrent tunnels possible limited by bandwidth to the VPN > server rather than some algorithmic restriction? Bandwidth will certainly play a factor. 1000 modem-speed tunnels might not be too hard to keep up with. (40kbps * 1000 = 40Mbps.) However, if you're talking about people with home DSL links, that's another matter. (512kbps * 1000 = 512Mbps.) Given typical ratios for how many employees you have vs. how many will want to be connected at any one time (about 10:1 or less in my experience) you have to have lots of users to be able to use 1000 connections simultaneously. > Are VPN companies arbitrarily restricting the number of tunnels so that they > can sell upgraded versions when people need to allow more users onto their > VPN network? I rather doubt it. Even the 1000 modem users generate a fair bit of traffic. I'd tend to assume it is a hardware limitation, which you would probably solve with multiple gateways in parallel. Not to mention you'll need some serious Internet links to back it up. Ryan VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Tue Mar 26 20:11:04 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Tue, 26 Mar 2002 17:11:04 -0800 Subject: [vpn] metrics for vpn sessions In-Reply-To: <3CA1396B.5E36AAE6@storm.ca> Message-ID: Sandy, I'm very interested, along with our readers ;>, to learn about the possibility of doubling throughput by running AES rather than 3DES. If you have more resources I'd really like to take a look at them. thanks, Phil Phil McGarr VPN Labs http://www.vpnlabs.org/ -----Original Message----- From: Sandy Harris [mailto:sandy at storm.ca] Sent: Tuesday, March 26, 2002 7:16 PM To: Phil McGarr Cc: vpn at securityfocus.com Subject: Re: [vpn] metrics for vpn sessions Phil McGarr wrote: > > Greetings, > > I've been asked the following question: > What metrics are companies using when the say "1,000 concurrent VPN > tunnels?" > > This spawned some of my own questions: > Is the number of concurrent tunnels possible limited by bandwidth to the VPN > server rather than some algorithmic restriction? > Are VPN companies arbitrarily restricting the number of tunnels so that they > can sell upgraded versions when people need to allow more users onto their > VPN network? > I'm not sure it'll be much help, but there's some related info and a bunch of links at: http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/performance.html Ask off-list and I can send you a more current version. The only important change is a link to some user benchmarks indicating that replacing 3DES with AES roughly doubles IPsec throughput. These are preliminary results; we don't yet have enough data to be precise or confident about this. VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From phil at vpnlabs.org Tue Mar 26 20:35:38 2002 From: phil at vpnlabs.org (Phil McGarr) Date: Tue, 26 Mar 2002 17:35:38 -0800 Subject: [vpn] metrics for vpn sessions In-Reply-To: <4EBB5C35607E7F48B4AE162D956666EF7D4C57@guam.corp.axcelerant.com> Message-ID: Christopher, Thanks for the clarification! So would it be correct to say that the number of concurrent sessions (2 tunnels) is primarily a matter of bandwidth and RAM and secondly a matter of encryption processing power? My goal is to get the primary metrics that users should be aware of when choosing a VPN solution. What is going to be the bottleneck that's going to restrict the number of simultaneous users? cheers, Phil Phil McGarr VPN Labs http://www.vpnlabs.org/ Another point I forgot to mention is the definition of the term 'tunnel' A year or two ago I would see vendors refer to this but it was misleading because each VPN Endpoint is comprised of 2 such 'tunnels'. 1 for Key Exchange and 1 for the encrypted data stream. So when XYZ vendor would say 10,000 simultaneous tunnels it was in reality 5000 VPN endpoints. The other thing I see is 'users'. This is actually a limit on the number of IP addresses that can concurrently have sessions through the VPN device. A perfect example is the NetScreen 5XP. It is limited to 10 IP's. However, for an additional sum of money you can unlock that feature and get what they call an ELITE license. Generally speaking though the limit on SA's, TCP/UDP sessions, policy numbers, routes, etc are memory issues. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Christopher Gripp > Sent: Tuesday, March 26, 2002 4:20 PM > To: Phil McGarr; vpn at securityfocus.com > Subject: RE: [vpn] metrics for vpn sessions > > > The number of tunnels isn't necessarily limited by the > bandwidth. However, as with ANY network service, bandwidth > is going to impact the performance of those services. > > Yes. Some VPN companies limit the # of tunnels, although I > wouldn't necessarily say arbitrarily, so they can sell > upgraded versions. > > > > Christopher Gripp > Systems Engineer > Axcelerant > > "Impartiality is a pompous name for indifference, which is an > elegant name for ignorance." G.K. Chesterton > > > -----Original Message----- > > From: Phil McGarr [mailto:phil at vpnlabs.org] > > Sent: Tuesday, March 26, 2002 3:46 PM > > To: vpn at securityfocus.com > > Subject: [vpn] metrics for vpn sessions > > > > > > Greetings, > > > > I've been asked the following question: > > What metrics are companies using when the say "1,000 concurrent VPN > > tunnels?" > > > > This spawned some of my own questions: > > Is the number of concurrent tunnels possible limited by > > bandwidth to the VPN > > server rather than some algorithmic restriction? > > Are VPN companies arbitrarily restricting the number of > > tunnels so that they > > can sell upgraded versions when people need to allow more > > users onto their > > VPN network? > > > > Any help? > > > > tia, > > > > Phil > > > > Phil McGarr > > VPN Labs > > http://www.vpnlabs.org/ > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Mar 26 20:18:48 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 26 Mar 2002 17:18:48 -0800 Subject: [vpn] metrics for vpn sessions Message-ID: <4EBB5C35607E7F48B4AE162D956666EF7D4C57@guam.corp.axcelerant.com> Another point I forgot to mention is the definition of the term 'tunnel' A year or two ago I would see vendors refer to this but it was misleading because each VPN Endpoint is comprised of 2 such 'tunnels'. 1 for Key Exchange and 1 for the encrypted data stream. So when XYZ vendor would say 10,000 simultaneous tunnels it was in reality 5000 VPN endpoints. The other thing I see is 'users'. This is actually a limit on the number of IP addresses that can concurrently have sessions through the VPN device. A perfect example is the NetScreen 5XP. It is limited to 10 IP's. However, for an additional sum of money you can unlock that feature and get what they call an ELITE license. Generally speaking though the limit on SA's, TCP/UDP sessions, policy numbers, routes, etc are memory issues. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Christopher Gripp > Sent: Tuesday, March 26, 2002 4:20 PM > To: Phil McGarr; vpn at securityfocus.com > Subject: RE: [vpn] metrics for vpn sessions > > > The number of tunnels isn't necessarily limited by the > bandwidth. However, as with ANY network service, bandwidth > is going to impact the performance of those services. > > Yes. Some VPN companies limit the # of tunnels, although I > wouldn't necessarily say arbitrarily, so they can sell > upgraded versions. > > > > Christopher Gripp > Systems Engineer > Axcelerant > > "Impartiality is a pompous name for indifference, which is an > elegant name for ignorance." G.K. Chesterton > > > -----Original Message----- > > From: Phil McGarr [mailto:phil at vpnlabs.org] > > Sent: Tuesday, March 26, 2002 3:46 PM > > To: vpn at securityfocus.com > > Subject: [vpn] metrics for vpn sessions > > > > > > Greetings, > > > > I've been asked the following question: > > What metrics are companies using when the say "1,000 concurrent VPN > > tunnels?" > > > > This spawned some of my own questions: > > Is the number of concurrent tunnels possible limited by > > bandwidth to the VPN > > server rather than some algorithmic restriction? > > Are VPN companies arbitrarily restricting the number of > > tunnels so that they > > can sell upgraded versions when people need to allow more > > users onto their > > VPN network? > > > > Any help? > > > > tia, > > > > Phil > > > > Phil McGarr > > VPN Labs > > http://www.vpnlabs.org/ > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com From cgripp at axcelerant.com Tue Mar 26 22:16:42 2002 From: cgripp at axcelerant.com (Christopher Gripp) Date: Tue, 26 Mar 2002 19:16:42 -0800 Subject: [vpn] metrics for vpn sessions Message-ID: <4EBB5C35607E7F48B4AE162D956666EFBE2725@guam.corp.axcelerant.com> Because there is more than one way to skin the proverbial cat it is difficult to make a blanket statement regarding what the bottleneck will be. All of the items you listed can become a severe bottleneck in the right environment. A couple of thoughts: In my humble opinion bandwidth is probably the easiest to alleviate due to it's availability and the minimal impact to the VPN if a circuit change is needed. Other than PC based VPN solutions I don't know of any that can have their memory or their processors easily upgraded. As an example of why I don't think encryption processing is secondary, I have tested various products and have seen latencies vary by up to 20ms between boxes for the same algorithms. I often see memory limitations affect the # of policies one can build out, the number of routes one can enter, the number of networks that can be defined, etc. Christopher S. Gripp Systems Engineer Axcelerant -----Original Message----- From: Phil McGarr [mailto:phil at vpnlabs.org] Sent: Tuesday, March 26, 2002 5:36 PM To: vpn at securityfocus.com Subject: RE: [vpn] metrics for vpn sessions Christopher, Thanks for the clarification! So would it be correct to say that the number of concurrent sessions (2 tunnels) is primarily a matter of bandwidth and RAM and secondly a matter of encryption processing power? My goal is to get the primary metrics that users should be aware of when choosing a VPN solution. What is going to be the bottleneck that's going to restrict the number of simultaneous users? cheers, Phil Phil McGarr VPN Labs http://www.vpnlabs.org/ Another point I forgot to mention is the definition of the term 'tunnel' A year or two ago I would see vendors refer to this but it was misleading because each VPN Endpoint is comprised of 2 such 'tunnels'. 1 for Key Exchange and 1 for the encrypted data stream. So when XYZ vendor would say 10,000 simultaneous tunnels it was in reality 5000 VPN endpoints. The other thing I see is 'users'. This is actually a limit on the number of IP addresses that can concurrently have sessions through the VPN device. A perfect example is the NetScreen 5XP. It is limited to 10 IP's. However, for an additional sum of money you can unlock that feature and get what they call an ELITE license. Generally speaking though the limit on SA's, TCP/UDP sessions, policy numbers, routes, etc are memory issues. Christopher Gripp Systems Engineer Axcelerant "Impartiality is a pompous name for indifference, which is an elegant name for ignorance." G.K. Chesterton > -----Original Message----- > From: Christopher Gripp > Sent: Tuesday, March 26, 2002 4:20 PM > To: Phil McGarr; vpn at securityfocus.com > Subject: RE: [vpn] metrics for vpn sessions > > > The number of tunnels isn't necessarily limited by the > bandwidth. However, as with ANY network service, bandwidth > is going to impact the performance of those services. > > Yes. Some VPN companies limit the # of tunnels, although I > wouldn't necessarily say arbitrarily, so they can sell > upgraded versions. > > > > Christopher Gripp > Systems Engineer > Axcelerant > > "Impartiality is a pompous name for indifference, which is an > elegant name for ignorance." G.K. Chesterton > > > -----Original Message----- > > From: Phil McGarr [mailto:phil at vpnlabs.org] > > Sent: Tuesday, March 26, 2002 3:46 PM > > To: vpn at securityfocus.com > > Subject: [vpn] metrics for vpn sessions > > > > > > Greetings, > > > > I've been asked the following question: > > What metrics are companies using when the say "1,000 concurrent VPN > > tunnels?" > > > > This spawned some of my own questions: > > Is the number of concurrent tunnels possible limited by > > bandwidth to the VPN > > server rather than some algorithmic restriction? > > Are VPN companies arbitrarily restricting the number of > > tunnels so that they > > can sell upgraded versions when people need to allow more > > users onto their > > VPN network? > > > > Any help? > > > > tia, > > > > Phil > > > > Phil McGarr > > VPN Labs > > http://www.vpnlabs.org/ > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > VPN is sponsored by SecurityFocus.com > > VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From rburrell at countrygrocer.com Wed Mar 27 01:24:10 2002 From: rburrell at countrygrocer.com (Richard Burrell) Date: Tue, 26 Mar 2002 22:24:10 -0800 Subject: [vpn] PPTP connections WinNT Message-ID: <000d01c1d558$027efe80$5701a8c0@mshome.net> I have been perusing the postings to this group for a while and have enjoyed the technical issues that flow through it. What I now have is a seemingly simpler question. I have been successfully running a simple VPN (combination of dial up and LAN-to-LAN) on an NT box for a while now, but I need to open up the number of simulataneous PPTP sessions that run on the NT box. The Barricade router that I have in front of the NT box that clients connect to I have discovered is only capable of handling one PPTP session per server at a time (8 total sessions so long as they are to different servers). Does anyone know why that is? If it is a routing limitation in general is there an easy way around the problem? Are there routers out there that are capable of handling multiple connections to the same server at the same time? Thanks. Richard Burrell Country Grocer Victoria, BC, Canada VPN is sponsored by SecurityFocus.com From Stephen.Hope at energis.com Wed Mar 27 08:13:31 2002 From: Stephen.Hope at energis.com (Stephen Hope) Date: Wed, 27 Mar 2002 13:13:31 -0000 Subject: [vpn] metrics for vpn sessions Message-ID: <73BE32DA9E55D511ACF30050BAEA048702A8E719@eisemail.energis.co.uk> Phil, i suspect the answer is still "it depends". You should design to the throughput and simultaneous user limits you need, and size box and Internet feed to suit - if you are lucky you will even have some numbers! There is no intrinsic limit to the minimum bandwidth used per user or tunnel - broadband users may be able to hit 1 Mbps instantaneous throughput, but since most bradband systems have 50:1 contention ratios built in, the average is likely to be much less. BTW - campus networks have similar design contention ratios, so this isnt really a remote access specific constraint. If you are using a hardware encryption engine of some sort, then they typically have 2 separate sets of limits - CPU + throughput as "performance", and memory tables etc for each "context" - which equates to tunnels or user limits. Often hardware accelerators use unusual versions of memory (which equals expensive), or have memory built into an ASIC, so this can be a limited resource that cannot be expanded. Software based encryption should have less stringent limits on memory, so CPU performance dominates. Both limits may be increased by adding hardware - either rack and stack the boxes (which may be much easier if there are load balancing hooks in the box), or by allowing multiple hardware encryption engines in a box. Often you get to choose - ie. in the Cisco VPN 3000 range you can get a software only box, or 1 which can take up to 4 hardware encryptors, with 0,1,2, or 3 fitted. regards Stephen Stephen Hope C. Eng, Senior Network Consultant, stephen.hope at energis.com, Energis UK, WWW: http://www.energis.com Carrington Business Park, Carrington, Manchester , UK. M31 4ZU Tel: +44 (0)161 776 4194 Mob: +44 (0)780 002 2626 Fax: +44 (0)161 776 4189 > -----Original Message----- > From: Phil McGarr [mailto:phil at vpnlabs.org] > Sent: Wednesday, March 27, 2002 1:36 AM > To: vpn at securityfocus.com > Subject: RE: [vpn] metrics for vpn sessions > > > > Christopher, > > Thanks for the clarification! So would it be correct to say > that the number > of concurrent sessions (2 tunnels) is primarily a matter of > bandwidth and > RAM and secondly a matter of encryption processing power? > My goal is to get the primary metrics that users should be > aware of when > choosing a VPN solution. What is going to be the bottleneck > that's going to > restrict the number of simultaneous users? > > > cheers, > > Phil > > Phil McGarr > VPN Labs > http://www.vpnlabs.org/ > > > > > Another point I forgot to mention is the definition of the > term 'tunnel' A > year or two ago I would see vendors refer to this but it was > misleading > because each VPN Endpoint is comprised of 2 such 'tunnels'. 1 for Key > Exchange and 1 for the encrypted data stream. So when XYZ > vendor would say > 10,000 simultaneous tunnels it was in reality 5000 VPN endpoints. > > The other thing I see is 'users'. This is actually a limit > on the number of > IP addresses that can concurrently have sessions through the > VPN device. A > perfect example is the NetScreen 5XP. It is limited to 10 > IP's. However, > for an additional sum of money you can unlock that feature > and get what they > call an ELITE license. > > Generally speaking though the limit on SA's, TCP/UDP sessions, policy > numbers, routes, etc are memory issues. > > > > Christopher Gripp > Systems Engineer > Axcelerant > > "Impartiality is a pompous name for indifference, which is an > elegant name > for ignorance." G.K. Chesterton > > > -----Original Message----- > > From: Christopher Gripp > > Sent: Tuesday, March 26, 2002 4:20 PM > > To: Phil McGarr; vpn at securityfocus.com > > Subject: RE: [vpn] metrics for vpn sessions > > > > > > The number of tunnels isn't necessarily limited by the > > bandwidth. However, as with ANY network service, bandwidth > > is going to impact the performance of those services. > > > > Yes. Some VPN companies limit the # of tunnels, although I > > wouldn't necessarily say arbitrarily, so they can sell > > upgraded versions. > > > > > > > > Christopher Gripp > > Systems Engineer > > Axcelerant > > > > "Impartiality is a pompous name for indifference, which is an > > elegant name for ignorance." G.K. Chesterton > > > > > -----Original Message----- > > > From: Phil McGarr [mailto:phil at vpnlabs.org] > > > Sent: Tuesday, March 26, 2002 3:46 PM > > > To: vpn at securityfocus.com > > > Subject: [vpn] metrics for vpn sessions > > > > > > > > > Greetings, > > > > > > I've been asked the following question: > > > What metrics are companies using when the say "1,000 > concurrent VPN > > > tunnels?" > > > > > > This spawned some of my own questions: > > > Is the number of concurrent tunnels possible limited by > > > bandwidth to the VPN > > > server rather than some algorithmic restriction? > > > Are VPN companies arbitrarily restricting the number of > > > tunnels so that they > > > can sell upgraded versions when people need to allow more > > > users onto their > > > VPN network? > > > > > > Any help? > > > > > > tia, > > > > > > Phil > > > > > > Phil McGarr > > > VPN Labs > > > http://www.vpnlabs.org/ > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > > > > VPN is sponsored by SecurityFocus.com > > > > > > > VPN is sponsored by SecurityFocus.com > ******************************************************************************************************** This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United Kingdom, No: 2630471. This e-mail is confidential to the addressee and may be privileged. The views expressed are personal and do not necessarily reflect those of Energis. If you are not the intended recipient please notify the sender immediately by calling our switchboard on +44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward all or any of it in any form. ******************************************************************************************************** VPN is sponsored by SecurityFocus.com From rmalayter at bai.org Wed Mar 27 13:31:30 2002 From: rmalayter at bai.org (Ryan Malayter) Date: Wed, 27 Mar 2002 12:31:30 -0600 Subject: [vpn] metrics for vpn sessions Message-ID: <22FD1855C2B16C40A1F6DE406420021E0187F8F1@mail.bai.org> AES was designed from the start to run efficiently in 32-bit and 64-bit processors. DES (and hence 3DES) was designed initially to run in specialized hardware, and the algorithm is quite slow in software when compared with most new block cipher algorithms. So AES *can* improve VPN throughput, because encryption and decryption happen faster on the same hardware. Of course, many newer VPN devices have very fast processors, or specialized DES hardware to assist in handling encryption/decryption. For these devices, network bandwidth is normally the bottleneck issue, not encryption processing time. A switch to AES would present little benefit for VPN performance on these devices. Plus, the jury is still out, cryptographically speaking, on AES. While the algorithm has been scrutinized thoroughly as part of the selection process, and is based on well-known block cipher design principles, it hasn't had it's security analyzed by cryptographers for more than 20 years like DES. A (very) conservative security administrator would probably wait for a few more years of cryptographic research before implementing AES on production systems. Regards, -ryan- -----Original Message----- From: Phil McGarr [mailto:phil at vpnlabs.org] Sent: Tuesday, March 26, 2002 7:11 PM To: Sandy Harris Cc: vpn at securityfocus.com Subject: RE: [vpn] metrics for vpn sessions Sandy, I'm very interested, along with our readers ;>, to learn about the possibility of doubling throughput by running AES rather than 3DES. If you have more resources I'd really like to take a look at them. thanks, Phil Phil McGarr VPN Labs http://www.vpnlabs.org/ -----Original Message----- From: Sandy Harris [mailto:sandy at storm.ca] Sent: Tuesday, March 26, 2002 7:16 PM To: Phil McGarr Cc: vpn at securityfocus.com Subject: Re: [vpn] metrics for vpn sessions Phil McGarr wrote: > > Greetings, > > I've been asked the following question: > What metrics are companies using when the say "1,000 concurrent VPN > tunnels?" > > This spawned some of my own questions: > Is the number of concurrent tunnels possible limited by bandwidth to the VPN > server rather than some algorithmic restriction? > Are VPN companies arbitrarily restricting the number of tunnels so that they > can sell upgraded versions when people need to allow more users onto their > VPN network? > I'm not sure it'll be much help, but there's some related info and a bunch of links at: http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/performance.html Ask off-list and I can send you a more current version. The only important change is a link to some user benchmarks indicating that replacing 3DES with AES roughly doubles IPsec throughput. These are preliminary results; we don't yet have enough data to be precise or confident about this. VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Thu Mar 28 06:57:20 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 28 Mar 2002 11:57:20 +0000 (GMT) Subject: [vpn] Using PKI certificates with VPN Message-ID: <20020328115720.58741.qmail@web12703.mail.yahoo.com> Hi, If i use certificate based authentication for Cisco VPN 3000, how can i go about managing the client side certificates. Assuming, i don't use any kind of tokens or certificate store to store the certificates .... can i statically stick the certificates to Cisco VPN client? Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From admin at ur.nl Thu Mar 28 04:54:56 2002 From: admin at ur.nl (Systems Administration) Date: Thu, 28 Mar 2002 10:54:56 +0100 Subject: [vpn] IPSec Hardware Recommendations? Message-ID: Hi all, I am looking for some recommendations regarding hardware based VPN gateways for branch offices and telecommuters. Stability, interoperability and performance are more important than price. Central nodes will either be FreeS/WAN on Linux or hardware. I've already looked at Cisco and SonicWALL appliances, what else should I look at? Thanks! Jonathan VPN is sponsored by SecurityFocus.com From losttoy2000 at yahoo.co.uk Thu Mar 28 06:45:12 2002 From: losttoy2000 at yahoo.co.uk (=?iso-8859-1?q?Siddhartha=20Jain?=) Date: Thu, 28 Mar 2002 11:45:12 +0000 (GMT) Subject: [vpn] tokens for vpn authentication Message-ID: <20020328114512.90193.qmail@web12706.mail.yahoo.com> Hi, I was looking for two-factor authentication mechanisms to integrate with Cisco's VPN box and PKI infrastructure. I came across eAladdin's etoken which can store digital certificates. Any other products which can do the same? RSA's Token does not store digital certificates but can be used to protect a digital certificate store. But that would be cumbersome having a Certificate server, a directory server, a RSA/ACE server and then tokens. eAladdin's solution looks good as it can store the certificates on the token itself, so i would require only a certificate server and a directory server alongwith the USB etoken. Any price comparisions would also be good. Regards, Siddhartha __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com VPN is sponsored by SecurityFocus.com From johan.meire at rug.ac.be Thu Mar 28 12:52:21 2002 From: johan.meire at rug.ac.be (meiremania.com) Date: Thu, 28 Mar 2002 18:52:21 +0100 Subject: [vpn] certificates Message-ID: <006801c1d681$4fdf6410$01000001@saddam> Hello all, I'm implementing a vpn-soluition for about 40 users so they could play road warrior from home. I'm testing Freeswan at the moment but I'm still in doubt on which authentication mechanism to use. Somebody advised x.509 certificates to me, but I'm still not sure. What does interestme most is to reduce the user-management for the sysadmin, so I wonder what are all the pro's and contra's of the different authentication methods. anyone ? greetz Johan VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Mar 28 15:40:37 2002 From: sandy at storm.ca (Sandy Harris) Date: Thu, 28 Mar 2002 12:40:37 -0800 Subject: [vpn] IPSec Hardware Recommendations? References: Message-ID: <3CA37FC5.E58916BD@storm.ca> Systems Administration wrote: > > Hi all, > > I am looking for some recommendations regarding hardware based VPN > gateways ... Central nodes will either be > FreeS/WAN on Linux or hardware. People using FreeS/WAN in such products: http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/intro.html#turnkey VPN is sponsored by SecurityFocus.com From sandy at storm.ca Thu Mar 28 16:52:39 2002 From: sandy at storm.ca (Sandy Harris) Date: Thu, 28 Mar 2002 13:52:39 -0800 Subject: [vpn] certificates References: <006801c1d681$4fdf6410$01000001@saddam> Message-ID: <3CA390A7.1C97903@storm.ca> "meiremania.com" wrote: > > Hello all, > > I'm implementing a vpn-soluition for about 40 users so they could play road > warrior from home. I'm testing Freeswan at the moment AT&T Research do this for several 100 users, with a dedicated company-supplied gateway (which they call a "moat") added to each home network. They just use raw RSA keys. See the "Moats" paper at: http://www.quintillion.com/fdis/moat/ > but I'm still in doubt > on which authentication mechanism to use. Somebody advised x.509 > certificates to me, but I'm still not sure. What does interestme most is to > reduce the user-management for the sysadmin, so I wonder what are all the > pro's and contra's of the different authentication methods. I'd say just using raw RSA keys is clearly simpler if you have FreeS/WAN on both ends. X.509 is a patch, not part of the standard FreeS/WAN distribution, and it's not clear that it buys you a lot. On the other hand, you might want the X.509 stuff if you have a corporate PKI using X.509 certs in play, or if you need to interoperate with some other IPsec that uses certs. Also, you may not need to patch if you're using some Linux like SuSE that ships with FreeS/WAN and the X.509 patch included. VPN is sponsored by SecurityFocus.com From carlsonmail at yahoo.com Thu Mar 28 14:03:49 2002 From: carlsonmail at yahoo.com (Chris Carlson) Date: Thu, 28 Mar 2002 11:03:49 -0800 (PST) Subject: [vpn] tokens for vpn authentication In-Reply-To: <20020328114512.90193.qmail@web12706.mail.yahoo.com> Message-ID: <20020328190349.69581.qmail@web13901.mail.yahoo.com> There's a few out there: - RSA makes a product called KEON which is a smart card - any smart card that the Cisco VPN client supports - Rainbow Technologies iKey One-time tokens like SecurID oftentimes are used as a complimentary authentication method to digital certificates. Even if you have a smart card or iKey, there's usually just a static password to enable the certificate, hardly secure in most cases. >From a support point of view, once you physically give something to your users, be prepared for overnight shipping returns, etc. for lost or broken devices. Here's an article on USB tokens: http://www.nwfusion.com/news/2002/0315usbsec.html Good luck! Chris -- --- Siddhartha Jain wrote: > Hi, > > I was looking for two-factor authentication > mechanisms > to integrate with Cisco's VPN box and PKI > infrastructure. I came across eAladdin's etoken > which > can store digital certificates. Any other products > which can do the same? RSA's Token does not store > digital certificates but can be used to protect a > digital certificate store. But that would be > cumbersome having a Certificate server, a directory > server, a RSA/ACE server and then tokens. > > eAladdin's solution looks good as it can store the > certificates on the token itself, so i would require > only a certificate server and a directory server > alongwith the USB etoken. > > Any price comparisions would also be good. > > Regards, > > Siddhartha > > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com > > VPN is sponsored by SecurityFocus.com > __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards? http://movies.yahoo.com/ VPN is sponsored by SecurityFocus.com From rtwatson at qwest.net Sat Mar 30 21:12:46 2002 From: rtwatson at qwest.net (Travis Watson) Date: Sat, 30 Mar 2002 19:12:46 -0700 Subject: [vpn] certificates In-Reply-To: <006801c1d681$4fdf6410$01000001@saddam> Message-ID: Johan, This was a rather large topic just recently in this room and you would be wise to read it (in case you haven't), but I would recommend a Nokia cc500. You can make yourself an internal CA and distribute certificates with it to client users. If your company decides to use smart cards, so be it (but I doubt that they will want to pay for it). FreeS/WAN is great for b-b's, but is still lacking in client use due to corporate addiction to MS. Just a personal opinion and, admittedly, I don't know a whole lot about it from the client side (though I love it as a b-b solution). You can get a Nokia cc500--with support--for $1500US from a decent reseller. With a client base of 40, that's less than $40US/head for however long it lasts and can grow out to, approximately, 500 users. That seems preferable to trying to develop a FreeS/WAN solution that is to be sent out to a bunch of shaky-hand users just trying to read their email on a variety of MS platforms (assuming that is the case). You could take a look at a Nokia IP120 running checkpoint VPN-1 NG as well. It will cost more money--to be sure--but it sets up nicely, you can't get fired for trying to recommend it, and the client software (for a fee--list $40US/person) comes with an integrated firewall. You can also set yourself up as an internal CA and issue certs with it to client users. Especially given your concerns about trying to minimize admin work/knowledge/responsibility, I would go with a different solution other than FreeS/WAN unless your end users are rather tech savvy. Regards, Travis -----Original Message----- From: meiremania.com [mailto:johan.meire at rug.ac.be] Sent: Thursday, March 28, 2002 10:52 AM To: vpn at securityfocus.com Subject: [vpn] certificates Hello all, I'm implementing a vpn-soluition for about 40 users so they could play road warrior from home. I'm testing Freeswan at the moment but I'm still in doubt on which authentication mechanism to use. Somebody advised x.509 certificates to me, but I'm still not sure. What does interestme most is to reduce the user-management for the sysadmin, so I wonder what are all the pro's and contra's of the different authentication methods. anyone ? greetz Johan VPN is sponsored by SecurityFocus.com VPN is sponsored by SecurityFocus.com From Daltuhn at cox.net Sat Mar 30 23:20:19 2002 From: Daltuhn at cox.net (Daltuhn) Date: Sat, 30 Mar 2002 23:20:19 -0500 Subject: [vpn] Fw: troublesome vpn and amateur techie Message-ID: <007001c1d86b$5e2ea4e0$68050a44@hr.cox.net> ----- Original Message ----- From: "Tina Bird" To: "Daltuhn" Sent: Tuesday, February 19, 2002 11:14 PM Subject: Re: troublesome vpn and amateur techie > pls send to vpn at securityfocus.com > > On Tue, 19 Feb 2002, Daltuhn wrote: > > > Hi, > > Thanks for taking time to read this. I hope you might have an article to send in response. I have a computer running Win2K Advanced Server. My server has two NIC's. One NIC is connected directly to a cable modem. This is my COX internet connection. I wish to utilize a hub and the second NIC to create a VPN between this computer and a Win98 computer in a remote location. The Win98 computer has two NIC's. ONe of the NIC's is also connected to cable modem using COX internet services. Idealy, each location could access the other and run applications off of the other in a secure manner. Also, the second NIC should retain its internet configurations and be able to access the internet. So, each end has 1 computer, 1 hub, 1 cable modem, and 2 NIC's. Is my VPN/internet scheme possible/difficult? If so , HOW? Again, thanks for nay response. But please make sure nay how-to is a concise walk through so i do not have to ever bug you again. > > > > Many Thanks, > > > > DALTON > > > VPN is sponsored by SecurityFocus.com