Re: SSL VPN

[Stephen Cotton]

If you are authenticating off radius the profile the profile then only
contains the ta.key preauth key, as well as the server certs and settings.
So multiple people (or:and office) can use a single profile with their
unique credentials. I believe this may be succeptable to having the
password cached in memory though as it will auto reconnect on failure.

The default on the server setups also only allow a single active connection
per user. There is a checkbox (in the pfsense server config page) to
override this. It’s important to be congnizant of because there’s nothing
stopping someone from using the same profile and radius creds on two
devices (say a phone and computer) and the behavior they will see if just
constant disconnects and reconnects.


On Fri, Jun 14, 2019 at 11:55 AM Jasper Backer  wrote:

> Just wondering, is the client export actually tied to the logged in user,
> or can every user download all other VPN profiles (which hopefully are of
> little use as credentials are likely unknown)? It used to be that way,
> would be nice if it is tied to just the logged in user.
>
> Cheers,
>
> Jasper
> On 13-06-19 20:06, Matt Harris wrote:
>
> On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka  wrote:
>
>>
>> OpenVPN in pfSense?
>>
>> We run tons of these around the world.
>>
>> Mark.
>>
>>
> With the client config generator package, "openvpn-client-export",
> installed, this is imho the best option for an end-user VPN. pfSense has a
> much nicer UI than OpenVPN AS, and that UI also supports other things you
> might need (like routing protocols via bird or quagga, managing the
> firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS
> when you compare it to what you get for free with pfSense.  The NetGate
> pfSense appliances are quite nicely spec'd, too, if you just have cash
> burning a hole in your pocket.  It also easily ties in OpenVPN
> authentication to RADIUS or LDAP, and getting it working with Active
> Directory on the backend is trivially simple.
>
>

Re: SSL VPN

[Mark Tinka]

The former.

Mark.

On 13/Jun/19 20:25, Jasper Backer wrote:
>
> Just wondering, is the client export actually tied to the logged in
> user, or can every user download all other VPN profiles (which
> hopefully are of little use as credentials are likely unknown)? It
> used to be that way, would be nice if it is tied to just the logged in
> user.
>
> Cheers,
>
> Jasper
>
> On 13-06-19 20:06, Matt Harris wrote:
>> On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka > > wrote:
>>
>>
>> OpenVPN in pfSense?
>>
>> We run tons of these around the world.
>>
>> Mark.
>>
>>
>> With the client config generator package, "openvpn-client-export",
>> installed, this is imho the best option for an end-user VPN. pfSense
>> has a much nicer UI than OpenVPN AS, and that UI also supports other
>> things you might need (like routing protocols via bird or quagga,
>> managing the firewall, etc) as well. I can't see any reason to pay
>> money for OpenVPN AS when you compare it to what you get for free
>> with pfSense.  The NetGate pfSense appliances are quite nicely
>> spec'd, too, if you just have cash burning a hole in your pocket.  It
>> also easily ties in OpenVPN authentication to RADIUS or LDAP, and
>> getting it working with Active Directory on the backend is trivially
>> simple. 
>>

Re: SSL VPN

[Jasper Backer]

Just wondering, is the client export actually tied to the logged in 
user, or can every user download all other VPN profiles (which hopefully 
are of little use as credentials are likely unknown)? It used to be that 
way, would be nice if it is tied to just the logged in user.


Cheers,

Jasper

On 13-06-19 20:06, Matt Harris wrote:
On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka > wrote:



OpenVPN in pfSense?

We run tons of these around the world.

Mark.


With the client config generator package, "openvpn-client-export", 
installed, this is imho the best option for an end-user VPN. pfSense 
has a much nicer UI than OpenVPN AS, and that UI also supports other 
things you might need (like routing protocols via bird or quagga, 
managing the firewall, etc) as well. I can't see any reason to pay 
money for OpenVPN AS when you compare it to what you get for free with 
pfSense.  The NetGate pfSense appliances are quite nicely spec'd, too, 
if you just have cash burning a hole in your pocket.  It also easily 
ties in OpenVPN authentication to RADIUS or LDAP, and getting it 
working with Active Directory on the backend is trivially simple.

Re: SSL VPN

[Curtis, Bruce]

On Jun 13, 2019, at 1:32 PM, Randy Bush mailto:ra...@psg.com>> 
wrote:

OpenVPN in pfSense?

yep

We run tons of these around the world.

i only do 0.5kg

wireguard, https://www.wireguard.com/, is simpler (always a good thing
with security), and has had code looked at by some credible experts.

randy

Looks like wireguard has some similarities to ZeroTier.  But a big difference 
is that wireguard is based on layer 3 while ZeroTier is based on layer 2 and 
calls itself an "Ethernet switch for planet Earth”.

https://www.zerotier.com


---
Bruce Curtis 
bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: SSL VPN

[Hansen, Christoffer]

On 14/06/2019 01:11, Eric Tykwinski wrote:
> This is the second time I’ve seen WireGuard this past week, and honestly 
> sounds really promising.
> I’m probably going to test out on VyOS since I know it has support, but any 
> word on ASA or JunOS?

If you want to take VyOS 1.2.x for a test drive with WireGuard VPN.
Consider OPNsense, too. (If you don't like the distro, then a least for
a test drive) They have also bundled WireGuard support.[0]
Afaik. You can find guides around with
how-to-wireguard-package-into-pfsense in best DIY fashion. NetGate is
currently holding back with official WireGuard Package for now. [1][2]

Christoffer

[0]: https://docs.opnsense.org/manual/vpnet.html#configuration
[1]: https://forum.netgate.com/topic/132375/installing-wireguard-vpn/40
[2]: https://redmine.pfsense.org/issues/8786

Re: SSL VPN

[Mark Tinka]

On 13/Jun/19 20:06, Matt Harris wrote:

>
> With the client config generator package, "openvpn-client-export",
> installed, this is imho the best option for an end-user VPN. pfSense
> has a much nicer UI than OpenVPN AS, and that UI also supports other
> things you might need (like routing protocols via bird or quagga,
> managing the firewall, etc) as well. I can't see any reason to pay
> money for OpenVPN AS when you compare it to what you get for free with
> pfSense.  The NetGate pfSense appliances are quite nicely spec'd, too,
> if you just have cash burning a hole in your pocket.  It also easily
> ties in OpenVPN authentication to RADIUS or LDAP, and getting it
> working with Active Directory on the backend is trivially simple.

+1.

Mark.

Re: SSL VPN

[santiago.martinez.uk]

+1and it also support HA. Sent from my Samsung Galaxy smartphone.
 Original message From: Mark Tinka  Date: 
13/06/2019  14:59  (GMT-03:00) To: nanog@nanog.org Subject: Re: SSL VPN On 
1/Jun/19 16:53, Mehmet Akcin wrote:> Hey there>> I am trying to choose SSL VPN 
for a remote office 3-4 people max each> any given time.>> I have looked at 
Pulse and Cisco, and wanted to check in here for> recommendations on latest 
trends.>> Trying to get a solution easy to manage and won’t break the bank 
with> licenses when team grows to 10.>> Thanks in advance.OpenVPN in pfSense?We 
run tons of these around the world.Mark.

Re: SSL VPN

[Matt Harris]

On Thu, Jun 13, 2019 at 6:12 PM Eric Tykwinski 
wrote:

> This is the second time I’ve seen WireGuard this past week, and honestly
> sounds really promising.
> I’m probably going to test out on VyOS since I know it has support, but
> any word on ASA or JunOS?
> I.E. is this going to export to hardware since it’s in the kernel already?
>

The kernel? Which kernel?

Given that neither Cisco nor Juniper ever adopted support for running
OpenVPN on their platforms, I suspect it's unlikely that they'd adopt
support for Wireguard. I would venture that as far as appliance support,
the best bet is likely to be NetGate and pfSense, but I think Wireguard is
going to have to come out with an "OK, we're comfortable with being
considered production-ready" statement first, given that the front page of
their website right now still proclaims the opposite. Once that happens -
and the ball is largely in Wireguard's court to move that forward - then we
should expect to see more mainstream adoption into products like pfSense.

Re: SSL VPN

[Eric Tykwinski]

> On Jun 13, 2019, at 2:32 PM, Randy Bush  wrote:
> 
>> OpenVPN in pfSense?
> 
> yep
> 
>> We run tons of these around the world.
> 
> i only do 0.5kg
> 
> wireguard, https://www.wireguard.com/, is simpler (always a good thing
> with security), and has had code looked at by some credible experts.
> 

This is the second time I’ve seen WireGuard this past week, and honestly sounds 
really promising.
I’m probably going to test out on VyOS since I know it has support, but any 
word on ASA or JunOS?
I.E. is this going to export to hardware since it’s in the kernel already?

> randy

Re: SSL VPN

[Randy Bush]

> OpenVPN in pfSense?

yep

> We run tons of these around the world.

i only do 0.5kg

wireguard, https://www.wireguard.com/, is simpler (always a good thing
with security), and has had code looked at by some credible experts.

randy

Re: SSL VPN

[Matt Harris]

On Thu, Jun 13, 2019 at 12:59 PM Mark Tinka  wrote:

>
> OpenVPN in pfSense?
>
> We run tons of these around the world.
>
> Mark.
>
>
With the client config generator package, "openvpn-client-export",
installed, this is imho the best option for an end-user VPN. pfSense has a
much nicer UI than OpenVPN AS, and that UI also supports other things you
might need (like routing protocols via bird or quagga, managing the
firewall, etc) as well. I can't see any reason to pay money for OpenVPN AS
when you compare it to what you get for free with pfSense.  The NetGate
pfSense appliances are quite nicely spec'd, too, if you just have cash
burning a hole in your pocket.  It also easily ties in OpenVPN
authentication to RADIUS or LDAP, and getting it working with Active
Directory on the backend is trivially simple.

Re: SSL VPN

[Mark Tinka]

On 1/Jun/19 16:53, Mehmet Akcin wrote:

> Hey there
>
> I am trying to choose SSL VPN for a remote office 3-4 people max each
> any given time.
>
> I have looked at Pulse and Cisco, and wanted to check in here for
> recommendations on latest trends.
>
> Trying to get a solution easy to manage and won’t break the bank with
> licenses when team grows to 10.
>
> Thanks in advance.

OpenVPN in pfSense?

We run tons of these around the world.

Mark.

Re: SSL VPN

[Brielle]

There is always the open source server/client ocserv.  Server is compatible 
with pulse and Cisco clients,  Ocserv client is compatible with pulse and Cisco 
servers as well.

Sent from my iPhone

> On Jun 1, 2019, at 1:10 PM, Ross Tajvar  wrote:
> 
> I've used that too. I found the admin interface to be pretty unintuitive. And 
> it kicks all active sessions without warning when you make a config change.
> 
>> On Sat, Jun 1, 2019, 2:32 PM Warren Kumari  wrote:
>> OpenVPN AS?
>> 
>> I’ve been running it for ~20 users for many years — it just works, has 
>> clients for many OSes, etc.
>> 
>> W
>> 
>>> On Sat, Jun 1, 2019 at 10:54 AM Mehmet Akcin  wrote:
>>> Hey there
>>> 
>>> I am trying to choose SSL VPN for a remote office 3-4 people max each any 
>>> given time.
>>> 
>>> I have looked at Pulse and Cisco, and wanted to check in here for 
>>> recommendations on latest trends.
>>> 
>>> Trying to get a solution easy to manage and won’t break the bank with 
>>> licenses when team grows to 10.
>>> 
>>> Thanks in advance.
>>> 
>>> Mehmet
>>> -- 
>>> Mehmet
>>> +1-424-298-1903
>> -- 
>> I don't think the execution is relevant when it was obviously a bad idea in 
>> the first place.
>> This is like putting rabid weasels in your pants, and later expressing 
>> regret at having chosen those particular rabid weasels and that pair of 
>> pants.
>>---maf

Re: SSL VPN

[Ross Tajvar]

I've used that too. I found the admin interface to be pretty unintuitive.
And it kicks all active sessions without warning when you make a config
change.

On Sat, Jun 1, 2019, 2:32 PM Warren Kumari  wrote:

> OpenVPN AS?
>
> I’ve been running it for ~20 users for many years — it just works, has
> clients for many OSes, etc.
>
> W
>
> On Sat, Jun 1, 2019 at 10:54 AM Mehmet Akcin  wrote:
>
>> Hey there
>>
>> I am trying to choose SSL VPN for a remote office 3-4 people max each any
>> given time.
>>
>> I have looked at Pulse and Cisco, and wanted to check in here for
>> recommendations on latest trends.
>>
>> Trying to get a solution easy to manage and won’t break the bank with
>> licenses when team grows to 10.
>>
>> Thanks in advance.
>>
>> Mehmet
>> --
>> Mehmet
>> +1-424-298-1903
>>
> --
> I don't think the execution is relevant when it was obviously a bad idea
> in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair of
> pants.
>---maf
>

Re: SSL VPN

[Warren Kumari]

OpenVPN AS?

I’ve been running it for ~20 users for many years — it just works, has
clients for many OSes, etc.

W

On Sat, Jun 1, 2019 at 10:54 AM Mehmet Akcin  wrote:

> Hey there
>
> I am trying to choose SSL VPN for a remote office 3-4 people max each any
> given time.
>
> I have looked at Pulse and Cisco, and wanted to check in here for
> recommendations on latest trends.
>
> Trying to get a solution easy to manage and won’t break the bank with
> licenses when team grows to 10.
>
> Thanks in advance.
>
> Mehmet
> --
> Mehmet
> +1-424-298-1903
>
-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

Re: [nanog] Re: SSL VPN

[Ross Tajvar]

I've used Pulse and AnyConnect (as a user) and Windows-based SSTP (as an
admin). They all worked well. The nice part about the Windows option is
that it's cheap (you only need to pay for a Windows license).

On Sat, Jun 1, 2019, 12:53 PM Hansen, Christoffer 
wrote:

> A solution based upon SSTP?
>
> Have used SSTP on Mikrotik gear in the past. Works well once setup is done.
> https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
>
> *Windows do e.g. have built-in support for SSTP based VPN solutions.
>
> Christoffer
>

[nanog] Re: SSL VPN

[Hansen, Christoffer]

A solution based upon SSTP?

Have used SSTP on Mikrotik gear in the past. Works well once setup is done.
https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP

*Windows do e.g. have built-in support for SSTP based VPN solutions.

Christoffer

Re: SSL VPN

[Colin Johnston]

sophos utm vm cant beat that

Sent from my iPod

> On 1 Jun 2019, at 15:53, Mehmet Akcin  wrote:
> 
> Hey there
> 
> I am trying to choose SSL VPN for a remote office 3-4 people max each any 
> given time.
> 
> I have looked at Pulse and Cisco, and wanted to check in here for 
> recommendations on latest trends.
> 
> Trying to get a solution easy to manage and won’t break the bank with 
> licenses when team grows to 10.
> 
> Thanks in advance.
> 
> Mehmet
> -- 
> Mehmet
> +1-424-298-1903

SSL VPN

[Mehmet Akcin]

Hey there

I am trying to choose SSL VPN for a remote office 3-4 people max each any
given time.

I have looked at Pulse and Cisco, and wanted to check in here for
recommendations on latest trends.

Trying to get a solution easy to manage and won’t break the bank with
licenses when team grows to 10.

Thanks in advance.

Mehmet
-- 
Mehmet
+1-424-298-1903

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Clay Kossmeyer]

Hi All -

The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing 
list for well over a decade.  We started this process a long time ago at the 
request of the list’s then-membership and haven’t been asked to change since.

Admittedly, vulnerability disclosure/discussion/reporting has changed a bit 
over the years and we may be a bit overdue on rethinking the need to send to 
NANOG. :)

Given that there are a number of forums that more directly address either 
Cisco-specific issues or are specific to vulnerability announcements, we’re 
happy to discontinue sending to the NANOG list directly.

Cisco maintains a mailing list and RSS feed to which we send our Security 
Advisories, and you’re welcome to join if interested:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc

Thanks,

Clay


signature.asc
Description: Message signed with OpenPGP using GPGMail

RE: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Chuck Church]

Given that probably 80+% (a guess, but I'd be really surprised at a lower
figure) of all internet traffic crosses at least one Cisco device somewhere,
I think it would be a huge disservice to discontinue sending these emails.
10 to 15 emails per year isn't much overhead, compared to seemingly
never-discussions on mandatory email legal signatures and other fluff.

Chuck

-Original Message-
From: Clay Kossmeyer [mailto:ckoss...@cisco.com] 
Sent: Tuesday, April 01, 2014 2:44 PM
To: nanog@nanog.org
Cc: Clay Seaman-Kossmeyer (ckossmey)
Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of
Service Vulnerability


Hi All -

The Cisco PSIRT has been sending IOS Security Advisories to the NANOG
mailing list for well over a decade.  We started this process a long time
ago at the request of the list's then-membership and haven't been asked to
change since.

Admittedly, vulnerability disclosure/discussion/reporting has changed a bit
over the years and we may be a bit overdue on rethinking the need to send to
NANOG. :)

Given that there are a number of forums that more directly address either
Cisco-specific issues or are specific to vulnerability announcements, we're
happy to discontinue sending to the NANOG list directly.

Cisco maintains a mailing list and RSS feed to which we send our Security
Advisories, and you're welcome to join if interested:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.
html#rsvifc

Thanks,

Clay

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Valdis . Kletnieks]

On Tue, 01 Apr 2014 15:24:32 -0400, Chuck Church said:
 Given that probably 80+% (a guess, but I'd be really surprised at a lower
 figure) of all internet traffic crosses at least one Cisco device somewhere,
 I think it would be a huge disservice to discontinue sending these emails.

Actually, the *real* value here is for those of us who are *not* Cisco
shops, but the box at the other end of the wire *is*, so that we can be
aware of what possible problems the other end may encounter


pgp6sOTouUnck.pgp
Description: PGP signature

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Scott Weeks]

--- ckoss...@cisco.com wrote:
From: Clay Kossmeyer ckoss...@cisco.com

[...] we’re happy to discontinue sending to the NANOG list directly.
--



Instead of discontinuing them how about one email that contains 
all the details, rather than one email per detail.  Similar to
what I sent to the list earlier.  For example:

--
The Semiannual Cisco IOS Software Security Advisory has been released.

For information please goto this URL:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

Advisory titles:
- Session Initiation Protocol Denial of Service Vulnerability
- Cisco 7600 Series Route Switch Processor 720 with 10 Gigabit Ethernet 
  Uplinks Denial of Service Vulnerability
- Internet Key Exchange Version 2 Denial of Service Vulnerability
- Network Address Translation Vulnerabilities
- SSL VPN Denial of Service Vulnerability
- Crafted IPv6 Packet Denial of Service Vulnerability
---


scott

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Brandon Butterworth]

 The Cisco PSIRT has been sending IOS Security Advisories to
 the NANOG mailing list for well over a decade

Thank you, much appreciated

 Given that there are a number of forums that more directly
 address either Cisco-specific issues or are specific to
 vulnerability announcements, we’re happy to discontinue
 sending to the NANOG list directly.

They are lost in the noise of some endless threads

 Cisco maintains a mailing list and RSS feed to which we
 send our Security Advisories

NANOG having a filtered feed of ISP backbone risk level
advisorises seems fair

brandon

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Ted Hatfield]

On Tue, 1 Apr 2014, Brandon Butterworth wrote:

The Cisco PSIRT has been sending IOS Security Advisories to
the NANOG mailing list for well over a decade


Thank you, much appreciated


Given that there are a number of forums that more directly
address either Cisco-specific issues or are specific to
vulnerability announcements, we?re happy to discontinue
sending to the NANOG list directly.


They are lost in the noise of some endless threads


Cisco maintains a mailing list and RSS feed to which we
send our Security Advisories


NANOG having a filtered feed of ISP backbone risk level
advisorises seems fair

brandon




One of the reasons I subscribe to the NANOG list is to get these security 
advisories.  I can always subscribe to another security list if necessary 
but I would would hope that CISCO would continue to send these notices, 
even if they are in a digest format.


Ted Hatfield

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Mike]

On 04/01/2014 11:44 AM, Clay Kossmeyer wrote:

Hi All -

The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing 
list for well over a decade.  We started this process a long time ago at the 
request of the list’s then-membership and haven’t been asked to change since.

Admittedly, vulnerability disclosure/discussion/reporting has changed a bit 
over the years and we may be a bit overdue on rethinking the need to send to 
NANOG. :)

Given that there are a number of forums that more directly address either 
Cisco-specific issues or are specific to vulnerability announcements, we’re 
happy to discontinue sending to the NANOG list directly.

Cisco maintains a mailing list and RSS feed to which we send our Security 
Advisories, and you’re welcome to join if interested:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc

Its true this information is also available in other forums, but I don't 
have time to filter thru all of those. I *do* have time for nanog, 
however, because of the good cross section represented here and because 
it's worthwhile to be aware of what may be happening in other people's 
camps, because very frequently problems on one side of the wire can 
spill over and affect the other side as well. I think the advisories are 
highly relevent then and absolutely should be included here on nanog.


Thanks.

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Randy]

From: Clay Kossmeyer ckoss...@cisco.com
To: nanog@nanog.org 
Cc: Clay Seaman-Kossmeyer (ckossmey) ckoss...@cisco.com 
Sent: Tuesday, April 1, 2014 11:44 AM
Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of 
Service Vulnerability



Hi All -

The Cisco PSIRT has been sending IOS Security Advisories to the NANOG mailing 
list for well over a decade.  We started this process a long time ago at the 
request of the list’s then-membership and haven’t been asked to change since.

Admittedly, vulnerability disclosure/discussion/reporting has changed a bit 
over the years and we may be a bit overdue on rethinking the need to send to 
NANOG. :)

Given that there are a number of forums that more directly address either 
Cisco-specific issues or are specific to vulnerability announcements, we’re 
happy to discontinue sending to the NANOG list directly.

Cisco maintains a mailing list and RSS feed to which we send our Security 
Advisories, and you’re welcome to join if interested:

http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#rsvifc

Thanks,

Clay




Touche'!

such is NANOG...a few who post more frequently than most like to umm... 
Speak-UP.

./Randy

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Mark Tinka]

On Friday, March 28, 2014 05:48:29 AM Shrdlu wrote:

 Why? Personally, I think it's fine. It only happens (at
 most) every six months (and sometimes more like a year).

I think it's fine too.

As I'm sure you know, if you're a Cisco customer, you can 
subscribe to their internal notification services where 
you'll get this anyway.

That they consolidate the most critical bug information and 
push it out to the typical operational mailing lists a 
couple of times a year is not such a problem, I'd say. For 
some, this could be the only way they find out.

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[kendrick eastes]

The Full-disclosure mailing list was recently... retired, I guess cisco
thought NANOG was the next best place.


On Wed, Mar 26, 2014 at 10:45 AM, rw...@ropeguru.com rw...@ropeguru.comwrote:


 Is this normal for the list to diretly get Cisco security advisories or
 something new. First time I have seen these.

 Robert


 On Wed, 26 Mar 2014 12:10:00 -0400
  Cisco Systems Product Security Incident Response Team ps...@cisco.com
 wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Cisco IOS Software SSL VPN Denial of Service Vulnerability

 Advisory ID: cisco-sa-20140326-ios-sslvpn

 Revision 1.0

 For Public Release 2014 March 26 16:00  UTC (GMT)

 Summary
 ===

 A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco
 IOS Software could allow an unauthenticated, remote attacker to cause a
 denial of service (DoS) condition.

 The vulnerability is due to a failure to process certain types of HTTP
 requests. To exploit the vulnerability, an attacker could submit crafted
 requests designed to consume memory to an affected device. An exploit could
 allow the attacker to consume and fragment memory on the affected device.
 This may cause reduced performance, a failure of certain processes, or a
 restart of the affected device.

 Cisco has released free software updates that address this vulnerability.
 There are no workarounds to mitigate this vulnerability.

 This advisory is available at the following link:
 http://tools.cisco.com/security/center/content/
 CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn

 Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled
 publication includes six Cisco Security Advisories. All advisories address
 vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security
 Advisory lists the Cisco IOS Software releases that correct the
 vulnerability or vulnerabilities detailed in the advisory as well as the
 Cisco IOS Software releases that correct all Cisco IOS Software
 vulnerabilities in the March 2014 bundled publication.

 Individual publication links are in Cisco Event Response: Semiannual
 Cisco IOS Software Security Advisory Bundled Publication at the following
 link:

 http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
 mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
 uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
 X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
 atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
 dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
 RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
 EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
 ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
 RF3x0wYuErbbC7N9m1UH
 =1Ixo
 -END PGP SIGNATURE-

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[cbr]

For anyone who was subscribed to the old full-disclosure list ... Fydor of nmap 
has brought it back to life.


Infolink @ http://insecure.org/news/fulldisclosure/
Subscribe @ http://nmap.org/mailman/listinfo/fulldisclosure


On Mar 26, 2014, at 10:52 AM, kendrick eastes keas...@gmail.com wrote:

 The Full-disclosure mailing list was recently... retired, I guess cisco
 thought NANOG was the next best place.
 
 
 On Wed, Mar 26, 2014 at 10:45 AM, rw...@ropeguru.com 
 rw...@ropeguru.comwrote:
 
 
 Is this normal for the list to diretly get Cisco security advisories or
 something new. First time I have seen these.
 
 Robert
 
 
 On Wed, 26 Mar 2014 12:10:00 -0400
 Cisco Systems Product Security Incident Response Team ps...@cisco.com
 wrote:
 
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Cisco IOS Software SSL VPN Denial of Service Vulnerability
 
 Advisory ID: cisco-sa-20140326-ios-sslvpn
 
 Revision 1.0
 
 For Public Release 2014 March 26 16:00  UTC (GMT)
 
 Summary
 ===
 
 A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco
 IOS Software could allow an unauthenticated, remote attacker to cause a
 denial of service (DoS) condition.
 
 The vulnerability is due to a failure to process certain types of HTTP
 requests. To exploit the vulnerability, an attacker could submit crafted
 requests designed to consume memory to an affected device. An exploit could
 allow the attacker to consume and fragment memory on the affected device.
 This may cause reduced performance, a failure of certain processes, or a
 restart of the affected device.
 
 Cisco has released free software updates that address this vulnerability.
 There are no workarounds to mitigate this vulnerability.
 
 This advisory is available at the following link:
 http://tools.cisco.com/security/center/content/
 CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
 
 Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled
 publication includes six Cisco Security Advisories. All advisories address
 vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security
 Advisory lists the Cisco IOS Software releases that correct the
 vulnerability or vulnerabilities detailed in the advisory as well as the
 Cisco IOS Software releases that correct all Cisco IOS Software
 vulnerabilities in the March 2014 bundled publication.
 
 Individual publication links are in Cisco Event Response: Semiannual
 Cisco IOS Software Security Advisory Bundled Publication at the following
 link:
 
 http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 
 iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
 mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
 uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
 X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
 atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
 dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
 RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
 EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
 ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
 RF3x0wYuErbbC7N9m1UH
 =1Ixo
 -END PGP SIGNATURE-
 
 
 
 



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Matt Palmer]

On Wed, Mar 26, 2014 at 10:52:42AM -0600, kendrick eastes wrote:
 The Full-disclosure mailing list was recently... retired, I guess cisco
 thought NANOG was the next best place.

Nope, they've been sending these things here for as long as I can remember. 
I have NFI why -- probably hubris, thinking that everyone running a network
*must* have some Cisco somewhere.

- Matt

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Larry Sheldon]

On 3/27/2014 4:07 PM, Matt Palmer wrote:

On Wed, Mar 26, 2014 at 10:52:42AM -0600, kendrick eastes wrote:

The Full-disclosure mailing list was recently... retired, I guess cisco
thought NANOG was the next best place.


Nope, they've been sending these things here for as long as I can remember.
I have NFI why -- probably hubris, thinking that everyone running a network
*must* have some Cisco somewhere.


There used to be cisco 'wigs with well-known names on NANOG.

One of them was probably asked to do it.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Alexander Neilson]

I wonder if they should be invited to only post a single message with the 
titles and links to the alerts so that people can follow it up.

They should also include a link to their own list that they send the full 
alerts to.

That way there could be some headline alerting to people that there is 
something in that topic available but avoids sending each alert to the list 
every time.

Depends on compliance with the charter for the list but I think it might be 
nice list etiquette.

Regards
Alexander

On 28/03/2014, at 3:27 pm, Larry Sheldon larryshel...@cox.net wrote:

 On 3/27/2014 4:07 PM, Matt Palmer wrote:
 On Wed, Mar 26, 2014 at 10:52:42AM -0600, kendrick eastes wrote:
 The Full-disclosure mailing list was recently... retired, I guess cisco
 thought NANOG was the next best place.
 
 Nope, they've been sending these things here for as long as I can remember.
 I have NFI why -- probably hubris, thinking that everyone running a network
 *must* have some Cisco somewhere.
 
 There used to be cisco 'wigs with well-known names on NANOG.
 
 One of them was probably asked to do it.
 
 
 
 -- 
 Requiescas in pace o email   Two identifying characteristics
of System Administrators:
 Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)
 

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Shrdlu]

On 3/27/2014 7:44 PM, Alexander Neilson wrote:

I wonder if they should be invited to only post a single message with
the titles and links to the alerts so that people can follow it up.


Why? Personally, I think it's fine. It only happens (at most) every six
months (and sometimes more like a year).


Depends on compliance with the charter for the list but I think it
might be nice list etiquette.


I'm surprised at the level of concern over this, considering it's an
event that has been going on since before most of those posting about
this were even on this list. I'm hoping (in vain, I'm sure) that my
gently pointing out that those posts are useful to many people, and
that their occurrence predates most of you, will make this non-issue
die away (and you make me REALLY MISS srh).

While I still worked (I don't now; I'm retired), it was nice to have
those alerts, because it could be checked against the *things* *that*
*should* *be* *patched* for sanity. Even now, there's still Cisco stuff
on my toy network, and I *still* care.

Could we just stick to the interesting issues of IPv6, and SMTP, and
move on? Please?

--
You've confused equality of opportunity for equality of outcomes,
and have seriously confused justice with equality.
(Woodchuck)

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Randy Bush]

Alexander Neilson alexan...@neilson.net.nz wrote:
 I wonder if they should be invited to only post a single message with
 the titles and links to the alerts so that people can follow it up.

i would prefer that the header be in blue, the titles in green, and the
urls in magenta, in comic sans, of course

randy

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Larry Sheldon]

On 3/27/2014 11:57 PM, Randy Bush wrote:

Alexander Neilson alexan...@neilson.net.nz wrote:

I wonder if they should be invited to only post a single message with
the titles and links to the alerts so that people can follow it up.


i would prefer that the header be in blue, the titles in green, and the
urls in magenta, in comic sans, of course


I prefer flat ASCII text.  That will shut most of them up.


--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Peter Kristolaitis]

On 3/28/2014 12:57 AM, Randy Bush wrote:

Alexander Neilson alexan...@neilson.net.nz wrote:

I wonder if they should be invited to only post a single message with
the titles and links to the alerts so that people can follow it up.

i would prefer that the header be in blue, the titles in green, and the
urls in magenta, in comic sans, of course

randy



I disagree vehemently.  That's far too simple of a system and doesn't 
convey the necessary information that should be in a summary document.


Titles should be either cerise, amaranth or raspberry coloured, 
depending on the bug's severity, and the headers should be blue-gray, 
glaucous or steel blue depending on the day of the week the bug was 
discovered.  Some people might whine that those colors are too close to 
each other, but they can just buy a colorimeter -- that's an operational 
problem anyways.


I can agree to comic sans, as long as it blinks.

Actually, we should probably just set up a committee for report 
styling.  We really need an industry standard for this, and one that 
covers all possible reporting needs for at least the next 20 years.   
Shouldn't take more than a few weeks.


I think I have a TPS report template around here that would be a great 
starting point   :p

Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco IOS Software SSL VPN Denial of Service Vulnerability

Advisory ID: cisco-sa-20140326-ios-sslvpn

Revision 1.0

For Public Release 2014 March 26 16:00  UTC (GMT)

Summary
===

A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS 
Software could allow an unauthenticated, remote attacker to cause a denial of 
service (DoS) condition.

The vulnerability is due to a failure to process certain types of HTTP 
requests. To exploit the vulnerability, an attacker could submit crafted 
requests designed to consume memory to an affected device. An exploit could 
allow the attacker to consume and fragment memory on the affected device. This 
may cause reduced performance, a failure of certain processes, or a restart of 
the affected device.

Cisco has released free software updates that address this vulnerability.
There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn

Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled 
publication includes six Cisco Security Advisories. All advisories address 
vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security 
Advisory lists the Cisco IOS Software releases that correct the vulnerability 
or vulnerabilities detailed in the advisory as well as the Cisco IOS Software 
releases that correct all Cisco IOS Software vulnerabilities in the March 2014 
bundled publication.

Individual publication links are in Cisco Event Response: Semiannual Cisco IOS 
Software Security Advisory Bundled Publication at the following link:

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
RF3x0wYuErbbC7N9m1UH
=1Ixo
-END PGP SIGNATURE-

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[rw...@ropeguru.com]

Is this normal for the list to diretly get Cisco security advisories 
or something new. First time I have seen these.


Robert

On Wed, 26 Mar 2014 12:10:00 -0400
 Cisco Systems Product Security Incident Response Team 
ps...@cisco.com wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco IOS Software SSL VPN Denial of Service Vulnerability

Advisory ID: cisco-sa-20140326-ios-sslvpn

Revision 1.0

For Public Release 2014 March 26 16:00  UTC (GMT)

Summary
===

A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of 
Cisco IOS Software could allow an unauthenticated, remote attacker to 
cause a denial of service (DoS) condition.


The vulnerability is due to a failure to process certain types of 
HTTP requests. To exploit the vulnerability, an attacker could submit 
crafted requests designed to consume memory to an affected device. An 
exploit could allow the attacker to consume and fragment memory on 
the affected device. This may cause reduced performance, a failure of 
certain processes, or a restart of the affected device.


Cisco has released free software updates that address this 
vulnerability.

There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn

Note: The March 26, 2014, Cisco IOS Software Security Advisory 
bundled publication includes six Cisco Security Advisories. All 
advisories address vulnerabilities in Cisco IOS Software. Each Cisco 
IOS Software Security Advisory lists the Cisco IOS Software releases 
that correct the vulnerability or vulnerabilities detailed in the 
advisory as well as the Cisco IOS Software releases that correct all 
Cisco IOS Software vulnerabilities in the March 2014 bundled 
publication.


Individual publication links are in Cisco Event Response: Semiannual 
Cisco IOS Software Security Advisory Bundled Publication at the 
following link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
RF3x0wYuErbbC7N9m1UH
=1Ixo
-END PGP SIGNATURE-

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[james]

They don't come out often but it happens.  Looks like there were 5 or 6 of them.

James

-Original Message-
From: rw...@ropeguru.com rw...@ropeguru.com
Date: Wed, 26 Mar 2014 12:45:18 
To: ps...@cisco.com; nanog@nanog.org
Reply-To: Robert Webb rw...@ropeguru.com
Subject: Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial
 of Service Vulnerability


Is this normal for the list to diretly get Cisco security advisories 
or something new. First time I have seen these.

Robert

On Wed, 26 Mar 2014 12:10:00 -0400
  Cisco Systems Product Security Incident Response Team 
ps...@cisco.com wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Cisco IOS Software SSL VPN Denial of Service Vulnerability
 
 Advisory ID: cisco-sa-20140326-ios-sslvpn
 
 Revision 1.0
 
For Public Release 2014 March 26 16:00  UTC (GMT)
 
 Summary
 ===
 
 A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of 
Cisco IOS Software could allow an unauthenticated, remote attacker to 
cause a denial of service (DoS) condition.
 
 The vulnerability is due to a failure to process certain types of 
HTTP requests. To exploit the vulnerability, an attacker could submit 
crafted requests designed to consume memory to an affected device. An 
exploit could allow the attacker to consume and fragment memory on 
the affected device. This may cause reduced performance, a failure of 
certain processes, or a restart of the affected device.
 
 Cisco has released free software updates that address this 
vulnerability.
 There are no workarounds to mitigate this vulnerability.
 
 This advisory is available at the following link:
 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
 
 Note: The March 26, 2014, Cisco IOS Software Security Advisory 
bundled publication includes six Cisco Security Advisories. All 
advisories address vulnerabilities in Cisco IOS Software. Each Cisco 
IOS Software Security Advisory lists the Cisco IOS Software releases 
that correct the vulnerability or vulnerabilities detailed in the 
advisory as well as the Cisco IOS Software releases that correct all 
Cisco IOS Software vulnerabilities in the March 2014 bundled 
publication.
 
 Individual publication links are in Cisco Event Response: Semiannual 
Cisco IOS Software Security Advisory Bundled Publication at the 
following link:
 
 http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 
 iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
 mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
 uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
 X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
 atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
 dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
 RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
 EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
 ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
 RF3x0wYuErbbC7N9m1UH
 =1Ixo
 -END PGP SIGNATURE-
 

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Mikael Abrahamsson]

On Wed, 26 Mar 2014, rw...@ropeguru.com wrote:

Is this normal for the list to diretly get Cisco security advisories or 
something new. First time I have seen these.


They do this twice a year, all their advisories were sent here about half 
a year ago as well.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Andrew Latham]

Robert

Perfectly normal, almost an announce list for issues like this.

On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com rw...@ropeguru.com wrote:

 Is this normal for the list to diretly get Cisco security advisories or
 something new. First time I have seen these.

 Robert


 On Wed, 26 Mar 2014 12:10:00 -0400
  Cisco Systems Product Security Incident Response Team ps...@cisco.com
 wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Cisco IOS Software SSL VPN Denial of Service Vulnerability

 Advisory ID: cisco-sa-20140326-ios-sslvpn

 Revision 1.0

 For Public Release 2014 March 26 16:00  UTC (GMT)

 Summary
 ===

 A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco
 IOS Software could allow an unauthenticated, remote attacker to cause a
 denial of service (DoS) condition.

 The vulnerability is due to a failure to process certain types of HTTP
 requests. To exploit the vulnerability, an attacker could submit crafted
 requests designed to consume memory to an affected device. An exploit could
 allow the attacker to consume and fragment memory on the affected device.
 This may cause reduced performance, a failure of certain processes, or a
 restart of the affected device.

 Cisco has released free software updates that address this vulnerability.
 There are no workarounds to mitigate this vulnerability.

 This advisory is available at the following link:

 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn

 Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled
 publication includes six Cisco Security Advisories. All advisories address
 vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security
 Advisory lists the Cisco IOS Software releases that correct the
 vulnerability or vulnerabilities detailed in the advisory as well as the
 Cisco IOS Software releases that correct all Cisco IOS Software
 vulnerabilities in the March 2014 bundled publication.

 Individual publication links are in Cisco Event Response: Semiannual Cisco
 IOS Software Security Advisory Bundled Publication at the following link:

 http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
 Comment: GPGTools - http://gpgtools.org

 iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
 mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
 uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
 X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
 atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
 dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
 RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
 2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
 0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
 EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
 ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
 RF3x0wYuErbbC7N9m1UH
 =1Ixo
 -END PGP SIGNATURE-






-- 
~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[rw...@ropeguru.com]

Thanks everyone for the replies. I guess since they are done so 
infrequently, I was not a list member the last go around.


Robert

On Wed, 26 Mar 2014 12:58:44 -0400
 Andrew Latham lath...@gmail.com wrote:

Robert

Perfectly normal, almost an announce list for issues like this.

On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com 
rw...@ropeguru.com wrote:


Is this normal for the list to diretly get Cisco security advisories 
or

something new. First time I have seen these.

Robert


On Wed, 26 Mar 2014 12:10:00 -0400
 Cisco Systems Product Security Incident Response Team 
ps...@cisco.com

wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco IOS Software SSL VPN Denial of Service Vulnerability

Advisory ID: cisco-sa-20140326-ios-sslvpn

Revision 1.0

For Public Release 2014 March 26 16:00  UTC (GMT)

Summary
===

A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of 
Cisco
IOS Software could allow an unauthenticated, remote attacker to 
cause a

denial of service (DoS) condition.

The vulnerability is due to a failure to process certain types of 
HTTP
requests. To exploit the vulnerability, an attacker could submit 
crafted
requests designed to consume memory to an affected device. An 
exploit could
allow the attacker to consume and fragment memory on the affected 
device.
This may cause reduced performance, a failure of certain processes, 
or a

restart of the affected device.

Cisco has released free software updates that address this 
vulnerability.

There are no workarounds to mitigate this vulnerability.

This advisory is available at the following link:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn

Note: The March 26, 2014, Cisco IOS Software Security Advisory 
bundled
publication includes six Cisco Security Advisories. All advisories 
address
vulnerabilities in Cisco IOS Software. Each Cisco IOS Software 
Security

Advisory lists the Cisco IOS Software releases that correct the
vulnerability or vulnerabilities detailed in the advisory as well as 
the

Cisco IOS Software releases that correct all Cisco IOS Software
vulnerabilities in the March 2014 bundled publication.

Individual publication links are in Cisco Event Response: Semiannual 
Cisco
IOS Software Security Advisory Bundled Publication at the following 
link:


http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+
mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
RF3x0wYuErbbC7N9m1UH
=1Ixo
-END PGP SIGNATURE-








--
~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~

Re: Cisco Security Advisory: Cisco IOS Software SSL VPN Denial of Service Vulnerability

[Justin M. Streiner]

These also get posted to other mailing lists, such as cisco-nsp.

jms

On Wed, 26 Mar 2014, rw...@ropeguru.com wrote:



Thanks everyone for the replies. I guess since they are done so infrequently, 
I was not a list member the last go around.


Robert

On Wed, 26 Mar 2014 12:58:44 -0400
 Andrew Latham lath...@gmail.com wrote:

 Robert

 Perfectly normal, almost an announce list for issues like this.

 On Wed, Mar 26, 2014 at 12:45 PM, rw...@ropeguru.com 
rw...@ropeguru.com wrote:
 
 Is this normal for the list to diretly get Cisco security advisories or

  something new. First time I have seen these.
 
  Robert
 
 
  On Wed, 26 Mar 2014 12:10:00 -0400

   Cisco Systems Product Security Incident Response Team ps...@cisco.com
  wrote:
  
   -BEGIN PGP SIGNED MESSAGE-

   Hash: SHA1
  
   Cisco IOS Software SSL VPN Denial of Service Vulnerability
  
   Advisory ID: cisco-sa-20140326-ios-sslvpn
  
   Revision 1.0
  
   For Public Release 2014 March 26 16:00  UTC (GMT)
  
   Summary

   ===
  
  A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of 
  Cisco

  IOS Software could allow an unauthenticated, remote attacker to cause a
   denial of service (DoS) condition.
  
  The vulnerability is due to a failure to process certain types of HTTP
  requests. To exploit the vulnerability, an attacker could submit 
  crafted
  requests designed to consume memory to an affected device. An exploit 
  could
  allow the attacker to consume and fragment memory on the affected 
  device.
  This may cause reduced performance, a failure of certain processes, or 
  a

   restart of the affected device.
  
  Cisco has released free software updates that address this 
  vulnerability.

   There are no workarounds to mitigate this vulnerability.
  
   This advisory is available at the following link:
  
   http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn
  
  Note: The March 26, 2014, Cisco IOS Software Security Advisory bundled
  publication includes six Cisco Security Advisories. All advisories 
  address

  vulnerabilities in Cisco IOS Software. Each Cisco IOS Software Security
   Advisory lists the Cisco IOS Software releases that correct the
   vulnerability or vulnerabilities detailed in the advisory as well as 
  the

   Cisco IOS Software releases that correct all Cisco IOS Software
   vulnerabilities in the March 2014 bundled publication.
  
  Individual publication links are in Cisco Event Response: Semiannual 
  Cisco
  IOS Software Security Advisory Bundled Publication at the following 
  link:
  
   http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html

   -BEGIN PGP SIGNATURE-
   Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
   Comment: GPGTools - http://gpgtools.org
  
   iQIcBAEBAgAGBQJTMeUtAAoJEIpI1I6i1Mx3BJ4P/Aytcbvaue49DkNDq0G+3C8+

   mv2W8/1HeqSvrmbc8QUJrelPA1kfYXGSf+7VX9lpwTdKKPrMPpkso1WXA7tK2t5i
   uiaqy8+KON/V3uFTjLhSBxZsMmSYws/uO8rV9oY7NLGfv2cwGztEbrKwz9g5Hsfc
   X3TlEgPaX73a/xb92eP//+e31ZNCPw6NRKmUfi6v7YG38WNghT7lqtI7GVlHiAkd
   atAqZ8NOyn7V+lHNjdOpAzFplo6R+GZCBfAFkEYuEU3dAAccMQbkaq6XgZAigycn
   dko3EWzfa+I/4RHDrRIa/XAY6Ogrnp/jmaTm4sGF2aqQOASH7X/oDU4X6KnD6ixo
   RicU1XeEsxgh5/FOf0wWo53BTcf/1nx34LkazZ6k6+jh8193IRWGb9J90E7S+/M8
   2jbB8kwxuroH1qQ73jqguiuTC0eemPn2k5MS01ZAfcIEJPcA4OyTkuA/3tiISeYQ
   0GesrJ3m7WOovFNSIq8v4WaTMcvZO9vHLZ/6BMcd4a+1uPnzPeR9rfI8JA2VA8Wd
   EAjbKdWA/kPxbVop2ajRjYTl7uMN6/g9SFP/eBjWpAFLnUfE6n1b24cn9v26OQpB
   ZxuMKA6eaeoT88KlouxudQcAgtpZZFzp4/ghWCy8q82WhHg4uDqw3R243rRxaBa7
   RF3x0wYuErbbC7N9m1UH
   =1Ixo
   -END PGP SIGNATURE-
  
 





 -- 
~  Andrew lathama Latham lath...@gmail.com http://lathama.net ~

Juniper SSL VPN

[Sharma, Kapeel]

Any one heard of a host checker issue with Juniper VPN today  ?

Thanks
Kapeel

Re: Juniper SSL VPN

[Jamie Gwatkin]

Could be related to this?
http://kb.juniper.net/InfoCenter/index?page=contentid=TSB16290


On Tue, Dec 31, 2013 at 10:31 AM, Sharma, Kapeel kapeel.sha...@mckesson.com
 wrote:

 Any one heard of a host checker issue with Juniper VPN today  ?

 Thanks
 Kapeel

RE: Juniper SSL VPN

[Sharma, Kapeel]

This is it thanks.

Kapeel

From: Jamie Gwatkin [mailto:jgwat...@magmic.com]
Sent: Tuesday, December 31, 2013 7:43 AM
To: Sharma, Kapeel
Cc: nanog@nanog.org
Subject: Re: Juniper SSL VPN

Could be related to this? 
http://kb.juniper.net/InfoCenter/index?page=contentid=TSB16290

On Tue, Dec 31, 2013 at 10:31 AM, Sharma, Kapeel 
kapeel.sha...@mckesson.commailto:kapeel.sha...@mckesson.com wrote:
Any one heard of a host checker issue with Juniper VPN today  ?

Thanks
Kapeel

Re: Juniper SSL VPN

[Mike Hale]

Wow.   Thanks for posting this.   I thought we were just going crazy
yesterday.
On Dec 31, 2013 7:45 AM, Jamie Gwatkin jgwat...@magmic.com wrote:

 Could be related to this?
 http://kb.juniper.net/InfoCenter/index?page=contentid=TSB16290


 On Tue, Dec 31, 2013 at 10:31 AM, Sharma, Kapeel 
 kapeel.sha...@mckesson.com
  wrote:

  Any one heard of a host checker issue with Juniper VPN today  ?
 
  Thanks
  Kapeel
 
 

Re: Juniper SSL VPN

[Valdis . Kletnieks]

On Tue, 31 Dec 2013 10:43:02 -0500, Jamie Gwatkin said:
 Could be related to this?
 http://kb.juniper.net/InfoCenter/index?page=contentid=TSB16290

Do I want to ask why *THIS*?

Estimated Fix Date:
Juniper engineering has root caused this issue is working to build and release
a ESAP fix as soon as possible. The initial estimated release date for the fix
is between 12/31/2013 (PST) and 1/3/2014 (PST). We will update this message
regularly with the current status until we resolve this issue.

We need an emergency fix because a piece of software unexpectedly hit
an end-of-life date?  Didn't we learn anything 14 years ago??!?



pgpbFl8yrGV6S.pgp
Description: PGP signature

Re: Juniper SSL VPN

[Eugeniu Patrascu]

On Tue, Dec 31, 2013 at 7:31 PM, valdis.kletni...@vt.edu wrote:

 On Tue, 31 Dec 2013 10:43:02 -0500, Jamie Gwatkin said:
  Could be related to this?
  http://kb.juniper.net/InfoCenter/index?page=contentid=TSB16290

 Do I want to ask why *THIS*?

 Estimated Fix Date:
 Juniper engineering has root caused this issue is working to build and
 release
 a ESAP fix as soon as possible. The initial estimated release date for the
 fix
 is between 12/31/2013 (PST) and 1/3/2014 (PST). We will update this message
 regularly with the current status until we resolve this issue.

 We need an emergency fix because a piece of software unexpectedly hit
 an end-of-life date?  Didn't we learn anything 14 years ago??!?


Juniper just posted a technical note saying the issue is fixed and a new
ESAP package is out.

Re: Juniper SSL VPN

[Valdis . Kletnieks]

On Tue, 31 Dec 2013 23:09:58 +0200, Eugeniu Patrascu said:

  We need an emergency fix because a piece of software unexpectedly hit
  an end-of-life date?  Didn't we learn anything 14 years ago??!?
 
 
 Juniper just posted a technical note saying the issue is fixed and a new
 ESAP package is out.

Right. The question is why it's coming out on the last day of December,
rather than the last day of November, or even October...


pgp29mBNo_SlB.pgp
Description: PGP signature

Re: Juniper SSL VPN

[Matt Palmer]

On Tue, Dec 31, 2013 at 04:19:24PM -0500, valdis.kletni...@vt.edu wrote:
 On Tue, 31 Dec 2013 23:09:58 +0200, Eugeniu Patrascu said:
 
   We need an emergency fix because a piece of software unexpectedly hit
   an end-of-life date?  Didn't we learn anything 14 years ago??!?
  
  
  Juniper just posted a technical note saying the issue is fixed and a new
  ESAP package is out.
 
 Right. The question is why it's coming out on the last day of December,
 rather than the last day of November, or even October...

To punish you for having the gall to think you could celebrate the new year
like a normal human being, instead of doing what you *should* be doing,
tending to the machines.

(At the risk of crossing the streams, I'll observe that I've not spent a new
year's eve or day patching my Linux-based VPN servers...)

- Matt

-- 
You keep using that word.  I do not think it means what you think it means.
-- Inigo, The Princess Bride

Re: Juniper SSL VPN

[Eugeniu Patrascu]

On Tue, Dec 31, 2013 at 11:19 PM, valdis.kletni...@vt.edu wrote:

 On Tue, 31 Dec 2013 23:09:58 +0200, Eugeniu Patrascu said:

   We need an emergency fix because a piece of software unexpectedly hit
   an end-of-life date?  Didn't we learn anything 14 years ago??!?
  
  
  Juniper just posted a technical note saying the issue is fixed and a new
  ESAP package is out.

 Right. The question is why it's coming out on the last day of December,
 rather than the last day of November, or even October...


From what I understood from the tech note, they had no clue this would
happen on the 31st of December :)

Re: Juniper SSL VPN

[Christopher Morrow]

Had no clue? Didn't they build it?
On Dec 31, 2013 7:46 PM, Eugeniu Patrascu eu...@imacandi.net wrote:

 On Tue, Dec 31, 2013 at 11:19 PM, valdis.kletni...@vt.edu wrote:

  On Tue, 31 Dec 2013 23:09:58 +0200, Eugeniu Patrascu said:
 
We need an emergency fix because a piece of software unexpectedly hit
an end-of-life date?  Didn't we learn anything 14 years ago??!?
   
   
   Juniper just posted a technical note saying the issue is fixed and a
 new
   ESAP package is out.
 
  Right. The question is why it's coming out on the last day of December,
  rather than the last day of November, or even October...
 

 From what I understood from the tech note, they had no clue this would
 happen on the 31st of December :)

Re: Juniper SSL VPN

[Hank Nussbacher]

At 20:55 31/12/2013 -0500, Christopher Morrow wrote:

Had no clue? Didn't they build it?

 From what I understood from the tech note, they had no clue this would
 happen on the 31st of December :)


Perhaps it is a left over somehow from their Netscreen purchase (April 2004)?

-Hank

Re: Juniper SSL VPN

[Christopher Morrow]

and in ~10 yrs no one did a code review? or refactor? or dependency check?

On Wed Jan 01 2014 at 12:42:09 AM, Hank Nussbacher h...@efes.iucc.ac.il
wrote:

 At 20:55 31/12/2013 -0500, Christopher Morrow wrote:
 Had no clue? Didn't they build it?
  
   From what I understood from the tech note, they had no clue this would
   happen on the 31st of December :)

 Perhaps it is a left over somehow from their Netscreen purchase (April
 2004)?

 -Hank