05-24-2002 07:38 AM - edited 03-08-2019 10:45 PM
We've asked a company to setup a secure connection ( VPN ) between some of our branch offices and the HQ . The VPN should have used the Internet as "carrier" .
Looking at the configurations made by the company we found that the connectivity has been set up with a simple tunneling without any security protocol implemented ( as IPSEC ) .
Following an extract from one branch's router configuration.
Interface ETH0
ip address 70.x.x.x 255.255.255.248 secondary
ip address 192.168.0.254 255.255.255.0
ip nat inside
interface tunnel1
description TO HQ
ip unnumbered eth0
tunnel source 194.x.x.1
tunnel destination 71.x.x.x1
int atm0
no ip address
int atm0.1
ip address 194.x.x.1 255.255.255.252
ip nat outside
.........
.........
ip route 10.0.0.0 255.0.0.0 tunnel1
I'd like to know if this could pose any security risks
TIA
05-24-2002 10:22 AM
Looks like there using GRE (Generic Routing Encapsulation). If I understand correctly GRE is used to tunnel multiple routing protocols between two private networks. IPSec then has to be added to the GRE tunnel to encrypt the traffic. GRE does not provide authentication or encryption like IPsec does.
Hope this helps
05-26-2002 10:24 PM
Hi,
is the config you posted really the whole config you have on your router? Whats about access-lists?
From what you posted I must say your Tunnel is not secure at all because there no encryption of your tunneled traffic. Anybody who is able to sniffer your traffic or to do a "man in the middle" attack can read your tunnel traffic and you even don't know that he is doing it. If you have no access-list and no cbac you won't defend against any DoS. The only security you have is the nat translation. But if a nat entry is made, anyone can use it from outside.
Hope, you can sleep well at night.
Norbert
05-27-2002 01:39 AM
the config had some access list as well but all set in "out" on the WAN and eth interfaces ( not IN ) . I can post them if you think they might be useful.
For what encryption is concerned , there's no encryption enabled on the tunnel interface . At least on the router configuration I had access to . That's what puzzled me more when I've been asked to supervise the configuration made by others .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide