RE: UDP port 500 traffic from two clients

From: Greg A. Woods (woodsat_private)
Date: Mon Jan 28 2002 - 16:23:15 PST

  • Next message: Fernando Cardoso: "RE: UDP port 500 traffic from two clients"

    [ On Monday, January 28, 2002 at 23:33:27 (+0200), Toni Heinonen wrote: ]
    > Subject: RE: UDP port 500 traffic from two clients
    >
    > In 99 % of these cases there is absolutely nothing malicious about the
    > traffic.
    
    Very true.
    
    > You know, IPSec isn't used only for VPN? As a matter of fact,
    > you can (as many people have done) configure your Windows 2000 to
    > encrypt ABSOLUTELY ALL traffic.
    
    But that's not quite true -- or rather it's a bit off kilter, at least
    the way I read it.  As I'mm sure you know a "VPN" is a "virtual private
    network", i.e. a network on top of another network through which all
    data transmitted in it will be kept private (usually by encrypting it
    and by ensuring it's safe from tampering).  IPSec is simply one
    standardised (and thus interoperable) way of implementing virtual
    private networks.  (IPSec doesn't have to implement the "private" part
    though -- it can also implement a secure virtual network which does not
    encrypt the data.)
    
    SSH plus some IP tunnelling protocol can also implement a VPN.  SSH
    alone can simulate a VPN by tunnelling individual TCP connections too.
    
    I.e. IPSec _is_ only used to implement secure virtual networks (private
    or otherwise), but it's not the only way to implement such things.
    
    > So, IPSec could be used as a
    > substitute for SSH, TLS or other encryption mechanisms. IPSec is
    > better than the previous in the fact that it can be used to protect
    > ANY kind of IP-traffic.
    
    That's not necessarily true either.  All IPSec, or any VPN for that
    matter, can do is protect your data as it travels over a real (and
    possibly pulic) network.  It does nothing to protect your computer and
    local applications, or to protect the network it is connected to or the
    computers and applications on that remote network, except of course
    w.r.t. threats from the real network you're using to interconnect over.
    Only a host-to-host VPN can protect your data from end-to-end.  Normally
    though an IPSec VPN will only be implemented between a host workstation
    and a remote network gateway.
    
    SSH and TLS/SSL and so on normally protect traffic end-to-end (i.e. from
    the client host to the server host) over any network, virtual, private,
    or otherwise, and thus can still be very useful even over a VPN
    implemented using IPsec.  Whether you also need SSH and/or TLS/SSL,
    etc., depends on how much you trust the network your VPN is connected
    to.  Of course the hosts on the network your VPN connects to must still
    trust your host(s), even if you also use SSH and/or TLS/SSL, etc.
    
    For example when doing remote administration of servers on some remote
    network you should always use SSH, even if you also have a VPN to
    connect your local workstation (and/or local network) to the remote
    network.  You should not trust everyone and everything on the remote
    network between its gateway and the remote server(s) you're
    administering.  If you don't always use SSH any passwords you type to
    them may be seen by a sniffer on the remote network.  The same risks
    apply to using any remote application where you don't want sensitive
    data to be seen or interfered with as it traverses the remote network.
    
    -- 
    								Greg A. Woods
    
    +1 416 218-0098;  <gwoodsat_private>;  <g.a.woodsat_private>;  <woodsat_private>
    Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private>
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 16:59:50 PST