[ On Monday, January 28, 2002 at 23:33:27 (+0200), Toni Heinonen wrote: ] > Subject: RE: UDP port 500 traffic from two clients > > In 99 % of these cases there is absolutely nothing malicious about the > traffic. Very true. > You know, IPSec isn't used only for VPN? As a matter of fact, > you can (as many people have done) configure your Windows 2000 to > encrypt ABSOLUTELY ALL traffic. But that's not quite true -- or rather it's a bit off kilter, at least the way I read it. As I'mm sure you know a "VPN" is a "virtual private network", i.e. a network on top of another network through which all data transmitted in it will be kept private (usually by encrypting it and by ensuring it's safe from tampering). IPSec is simply one standardised (and thus interoperable) way of implementing virtual private networks. (IPSec doesn't have to implement the "private" part though -- it can also implement a secure virtual network which does not encrypt the data.) SSH plus some IP tunnelling protocol can also implement a VPN. SSH alone can simulate a VPN by tunnelling individual TCP connections too. I.e. IPSec _is_ only used to implement secure virtual networks (private or otherwise), but it's not the only way to implement such things. > So, IPSec could be used as a > substitute for SSH, TLS or other encryption mechanisms. IPSec is > better than the previous in the fact that it can be used to protect > ANY kind of IP-traffic. That's not necessarily true either. All IPSec, or any VPN for that matter, can do is protect your data as it travels over a real (and possibly pulic) network. It does nothing to protect your computer and local applications, or to protect the network it is connected to or the computers and applications on that remote network, except of course w.r.t. threats from the real network you're using to interconnect over. Only a host-to-host VPN can protect your data from end-to-end. Normally though an IPSec VPN will only be implemented between a host workstation and a remote network gateway. SSH and TLS/SSL and so on normally protect traffic end-to-end (i.e. from the client host to the server host) over any network, virtual, private, or otherwise, and thus can still be very useful even over a VPN implemented using IPsec. Whether you also need SSH and/or TLS/SSL, etc., depends on how much you trust the network your VPN is connected to. Of course the hosts on the network your VPN connects to must still trust your host(s), even if you also use SSH and/or TLS/SSL, etc. For example when doing remote administration of servers on some remote network you should always use SSH, even if you also have a VPN to connect your local workstation (and/or local network) to the remote network. You should not trust everyone and everything on the remote network between its gateway and the remote server(s) you're administering. If you don't always use SSH any passwords you type to them may be seen by a sniffer on the remote network. The same risks apply to using any remote application where you don't want sensitive data to be seen or interfered with as it traverses the remote network. -- Greg A. Woods +1 416 218-0098; <gwoodsat_private>; <g.a.woodsat_private>; <woodsat_private> Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 16:59:50 PST