Well, first of all, IPSec and L2TP aren't true layer 4 protocols in the way that TCP or UDP are. Depending on the IPSec* implementation, it is actually comprised of at least two of the TCP, UDP, ESP, and AH protocols. L2TP is comprised of UDP and ESP protocols.
Secondly, there are Nessus checks for the presence of parts of these protocols (for instance, ISAKMP fingerprint for IPSec) as well as some vulnerability checks for vendor-specific implementations of these protocols (typically found in firewall or RAS products). Older default Check Point firewalls for instance will give up the SecureRemote topology file to Nessus, which can yield some interesting information. That said, Nessus does not perform analysis against the tunnel itself, it only enumerates the tunnel endpoint and may be able to identify the presence of a vulnerability on the endpoint's implementation of IPSec or L2TP. It will not test bit-flipping, decoding, man-in-the-middle, authentication or sequencing attacks against an existing tunnel. It cannot tell you if the actual tunnel is vulnerable to attack. PaulM http://en.wikipedia.org/wiki/IPsec ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Smith Sent: Tuesday, October 04, 2005 2:15 PM To: [email protected] Subject: Nessus Scanning Protocols I'm trying to understand how IPSEC and L2TP protocols can be used in a vulnerability assessment. I understand that TPC/UDP/ICMP are currently used in Nessus to perform the port scans and checks. Does Nessus support IPSECor L2TP? And if so, can these protocols be used to pentest Firewalls VPN's, Routers and other Cisco tunnels? Thanks - Steve _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
