Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
3
Replies

Tunneling security

scolombo
Cisco Employee
Cisco Employee

‎05-24-2002 07:38 AM - edited ‎03-08-2019 10:45 PM

We've asked a company to setup a secure connection ( VPN ) between some of our branch offices and the HQ . The VPN should have used the Internet as "carrier" .

Looking at the configurations made by the company we found that the connectivity has been set up with a simple tunneling without any security protocol implemented ( as IPSEC ) .

Following an extract from one branch's router configuration.

Interface ETH0

ip address 70.x.x.x 255.255.255.248 secondary

ip address 192.168.0.254 255.255.255.0

ip nat inside

interface tunnel1

description TO HQ

ip unnumbered eth0

tunnel source 194.x.x.1

tunnel destination 71.x.x.x1

int atm0

no ip address

int atm0.1

ip address 194.x.x.1 255.255.255.252

ip nat outside

.........

.........

ip route 10.0.0.0 255.0.0.0 tunnel1

I'd like to know if this could pose any security risks

TIA

Labels:
0 Helpful
3 Replies 3

mike-greene
Level 4
Level 4

‎05-24-2002 10:22 AM

Looks like there using GRE (Generic Routing Encapsulation). If I understand correctly GRE is used to tunnel multiple routing protocols between two private networks. IPSec then has to be added to the GRE tunnel to encrypt the traffic. GRE does not provide authentication or encryption like IPsec does.

Hope this helps

0 Helpful

nsteup
Level 1
Level 1

‎05-26-2002 10:24 PM

Hi,

is the config you posted really the whole config you have on your router? Whats about access-lists?

From what you posted I must say your Tunnel is not secure at all because there no encryption of your tunneled traffic. Anybody who is able to sniffer your traffic or to do a "man in the middle" attack can read your tunnel traffic and you even don't know that he is doing it. If you have no access-list and no cbac you won't defend against any DoS. The only security you have is the nat translation. But if a nat entry is made, anyone can use it from outside.

Hope, you can sleep well at night.

Norbert

0 Helpful

scolombo
Cisco Employee
Cisco Employee
In response to nsteup

‎05-27-2002 01:39 AM

the config had some access list as well but all set in "out" on the WAN and eth interfaces ( not IN ) . I can post them if you think they might be useful.

For what encryption is concerned , there's no encryption enabled on the tunnel interface . At least on the router configuration I had access to . That's what puzzled me more when I've been asked to supervise the configuration made by others .

0 Helpful
Customers Also Viewed These Support Documents