[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 24 June 2002 1:51 pm, Jon Still wrote:
This is why AH's (Authentication Header) use is being increasingly discouraged - just use ESP (Encapsulated Payload) in tunelling mode. This *will* work over NAT AFAIK as the IP headers are not authenticated and the payload is just IP type 50 data (i.e. ESP). ESP will provide authenticity validation of the payload - ok so you lose out on protection of the IP header but to be honest the payload is your primary concern!
yes you are right, however ESP has never worked behind NAT for me, though. Maybe i'll have another go one day, if i have time. however, imagine you are reciving DNS updates from another server - you don't care about people viewing the contents, but tyou need to make sure the headers are right. silly example, but there are lots of cases where the ip headers are more important that the data - although in theory, as long as the data passes, yoou'd need the peer key to encrtpy in the first place.
right pain in the arse, considering many secure networks use NAT for security reasons.Ugh! NAT != security. While theoretically one should never be able to route packets straight into a NATed LAN from beyond the NAT router, it only takes a single flaw in the sourcecode/NAT rules/firewall rules/etc to breach this. NAT wasn't designed for security. NAT was designed for conserving IPv4 space.
i never said NAT was security ;) however, haveing NAT is often a requiement for a hosting centre, especialy when hosting certian financial companies servers. it has it's uses; and both netfilter, and ciscos implementation of NAT is genrally secure; except a certian DNAT bug in netfilter recently! (CARTSA-20020402).
This is *very* useful indeed :) I use this at home to VPN into the office. Now if I could find a way of making it work under windows I'd make our developer happy :)
someone apparently once got ssh vpn workign in cygwin - never tried myself though...
I used to work for a small local ISP and the manager's primary concern was that the servers were UP, not that some script kiddie couldn't get in and deface a few thousand websites.
exactly - while uptime is the most importnat hting from a business view, what happens when all the sites are defaced though? I guess the servers are still up so they don't break their SLA ? ;)
Now if I can convince the remaining users to switch to SPOP3 I'll be happy :) Of course making them stop using FTP is something else....
good luck :p if you find a way, espacially for 'web designers', then let me know ;) for users dialing up to us, i'm not really *too* bothered, as all the traffic stays in our network, so security risks aren't as high (though i still think FTP should be make illegal), but people conencting to our network from externally with FTP is just urghghghghghghghhggh. ~ Theo - -- Theo Zourzouvillys http://zozo.org.uk/ Q: How much does it cost to ride the Unibus? A: 2 bits. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9FyJB448CrwpTn6YRAiUBAJ4gYaRH9Thth+pyLJDEAJYRhiZ0IwCgtole kKUrOokDU/eqMGCmogphLi4= =EbSG -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.