> -----Original Message-----
> From: Claussen, Ken [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 11, 2001 3:05 AM
> To: 'erratic whimsicality'; '[EMAIL PROTECTED]'
> Subject: RE: IPSEC tunnel between Nokia and Cisco
>
>
> Giorgo,
> Your solution is much easier to maintain. I would put the
> single VPN router behind the firewall and allow UDP port
> 500(ISAKMP) and protocols 50 (ESP) and 51 (AH) to tunnel from
> your IP to the remote VPN router.
I have an architecture bias against running IPSec through firewalls. I
prefer to terminate VPN traffic at, before or in parallel to firewalls, in
general. Just a gut-feel thing, though.
Oh, and being _really_ pedantic, I prefer to use IPSec in tunnel mode with
ESP only and not worry about AH. One less protocol to open, and it's no loss
from a crypto point of view.
> I have worked with IPsec
> tunnels between different vendor platforms and it can be a
> bit (or alot) tricky. It is much easier to maintain if both
> ends are Cisco routers.
I haven't really found this - just my opinion, of course. All the interop
I've done has been easyish. In fact, as long as _one_ side is a Cisco it's
even easier because of the high quality of the debug messages.
> As an aside have you considered SSH
> to the routers themselves. This provides an equally secure
> alternative and would not require additional hardware. To do
> this you need to be running 12.1.2T or some newer T version
> IOS. Also beware 12.1.3 is a bit buggy especially between
> Cisco and Checkpoint, we had to upgrade to 12.1.5T9 to get good SAs
The SSH code is new, and there has already been at least one problem with it
that I know of. I'm still not using it in production systems. 12.1.3 is
deferred, yes. Nobody should be using it for anything. 12.1.5T9 happens to
be my current favourite for production use that requires a T stream.
In addition (we're getting really theoretical now) I'm trying to avoid _all_
SSH for new high security stuff, due to the number of recent "good" attacks.
Once all the dust has settled, we'll see what's what. The most recent work
(nifty stat. analysis involving keystroke timing) is just Too Damn Scary.
It's not full-fledged panic (I'm not migrating existing architectures), so
please don't read this as a sky-is-falling comment.
How about this even _more_ secure (and much simpler) alternative? Get a
2509-RJ (it has 8 serial ports), enable IPSec on it, run console cables from
the 2509 to each of the secure external routers, and then disable all IP
connectivity to them. That limits your IPSec attacks to one box, which can
be more effectively shielded from the outside world (the management box only
needs to talk to one IP address). If these are high traffic boxes, make sure
you have things like 'logging rate-limit console' turned on.
> Ken Claussen MCSE CCNA CCA
> "In Theory it should work as you describe, but the difference
> between theory and reality is the truth! For this we all strive"
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of erratic
> whimsicality
> Sent: Monday, September 10, 2001 11:09 AM
> To: [EMAIL PROTECTED]
> Subject: IPSEC tunnel between Nokia and Cisco
>
>
> Hello All,
>
>
> We are going to set up a secure environment to access
> external routers
> (located in a specfic DMZ) for management purposes.
[...]
> Thanks,
>
> ...Giorgo
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
