Re: Penetration Test to IPSec Tunnel in ASA 5510 FW

Nay Myo Tun · ‎04-15-2010

Hi,

I have one network deployment project and have setup the IPSec site to site VPN tunnel using the ASA 5510 FW.But according to our customer requirment, we need to prove that the tunnel shouldn't be able to sniff the data betwwen two sites. Is there any way to conduct peneration test in order to prove that tunnel is not able to sniff the packet/ data between two sites?

Collin Clark · ‎04-15-2010

Is it possible for you to put a hardware tap in? If so, put it in and try a packet capture and view the results.

Nay Myo Tun · ‎04-16-2010

May I know what kind of HW do you suggest to tap in ? Or any recommend

ation of sniffing utillity/ tools ?

Collin Clark · ‎04-16-2010

For a network TAP-

http://www.networktaps.com/

For a sniffer, a free one is Wireshark. It's not greatest tool, but it will work fine in your situation-

www.wireshark.org

ROBERTO TACCON · ‎04-15-2010

Hi,

I advise the following service:

http://www.nta-monitor.com/services/externalservices.html#vpn

Regards

Roberto Taccon

Mark Rigby · ‎04-16-2010

Connect the outside interface of the ASA to a Catalyst switch along with your WAN router, then SPAN the port(s) and collect the data in wireshark. This would emulate someone outside the FW trying to look at traffic traversing between the two sitesm you will need to be using public ip addressing on the outside of the ASA of course.

Obviously dont use a switch that is connected to your production network unless you create an isolated vlan on said switch for the purpose of testing this configuration. You could also do this will a completely separate hub on a temporary basis.