Re: Opinions on "no" sysopt connection permit-ipsec

n.oneill · ‎08-06-2004

Hi all

Just wondered what everyones opinion on not including sysopt connection permit-ipsec and setting up rules on the outside interface.

Is it not a security risk to have these rules on the outside interface? ie could someone spoof the address assigned for VPN to send packets to a services that should only be available to VPN users?

e.g.

access-list outside permit tcp 192.168.100.0 255.255.255.0 host 192.168.0.1 eq 80

no sysopt connection permit-ipsec

Would this allow an attacker to spoof a source address of 192.168.100.x and send packets to 192.168.0.1 port 80? Sure he won't get a reply but maybe he takes pot luck on exploiting a vulnerability to inject some code and depending on the hosts TCP implementation it would be possible?

I would be interested to know if this is possible?

Thanks

krishnas · ‎08-06-2004

Hi,

I think there wont be security vulnerability that you explained when you create an access-list on ingress to permit 192.168.100.x network to access to your internal network. The reason being that on PIX (and also on IOS), if the crypto map is applied on outside interface and if an unencrypted packet matching one of the rules in the crypto map ACL is received on that interface, it is dropped in the PIX itself. So attackers can't use this technique for DOS attacks on the inside hosts. If a bogus encrypted packet with the spoofed address is received, if there are no IPSec SAs the packet is still dropped. Hope this helps.