[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
On Mon, 24 Jun 2002, Theo Zourzouvillys wrote:
one is AHA packets can't be natted in any form, or auth fails. which is a
This is why AH's (Authentication Header) use is being increasingly discouraged - just use ESP (Encapsulated Payload) in tunelling mode. This *will* work over NAT AFAIK as the IP headers are not authenticated and the payload is just IP type 50 data (i.e. ESP). ESP will provide authenticity validation of the payload - ok so you lose out on protection of the IP header but to be honest the payload is your primary concern!
right pain in the arse, considering many secure networks use NAT for security reasons.
Ugh! NAT != security. While theoretically one should never be able to route packets straight into a NATed LAN from beyond the NAT router, it only takes a single flaw in the sourcecode/NAT rules/firewall rules/etc to breach this. NAT wasn't designed for security. NAT was designed for conserving IPv4 space.
there is also SSH VPN (ppp over ssh) tunneling, which *can be* slow, but is very easy for the client to set up, and useful for a light conenction, others to look at are vtund, openvpn, tinc, secpvn, tunnelv, and of course vpnd.
This is *very* useful indeed :) I use this at home to VPN into the office. Now if I could find a way of making it work under windows I'd make our developer happy :)
but this brings us to the point that ISP's really don't *generally* give a shit about customers security, or even their own in many cases ;p
I used to work for a small local ISP and the manager's primary concern was that the servers were UP, not that some script kiddie couldn't get in and deface a few thousand websites.
(l)users. If life was perfect, and all users were smart, i'd disable POP3, SMTP, FTP, etc... but can't. users moan, they *want* to use the insecure
This is why I offer both SSL POP3 and ordinary POP3 on my server :) Now if I can convince the remaining users to switch to SPOP3 I'll be happy :) Of course making them stop using FTP is something else.... J. -- Jon Still E-mail: jon@xxxxxxxxxxx tertial.org Web: http://www.tertial.org/ GPG Key: http://xanthein.net/key.asc Key ID: 0x00493D2B -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.