OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [fw-wiz] UDP 500 and IP 50
From: Steven M. Bellovin (smbresearch.att.com)
Date: Mon May 22 2000 - 13:46:57 CDT

In message <001c01bfc254$cb8b2b00$a1bcfea9rockfd1.il.home.com>, "Patrick Bryan
" writes:

>
>We have a vendor that has asked that we open UDP 500 and allow IP
>protocol 50 to pass our firewall. Two questions here.. 1) What is
>running on UDP 500, and what is IP 50 doing? Something similar to
>GRE(47)? The vendor claims they need this to establish a connection to
>their VPN. Any input would be greatly appreciated.
>

Both are for IPsec; see RFC 2401 and a bunch of others. UDP port 500
is for IKE, the key management protocol; IP 50 is the actual tunnel
protocol.

It's reasonable to allow both to reach specific internal machines *if*
you trust those machines to apply reasonable access controls, and you
trust that their outside peers are safe. But encryption per se is not
security -- if there are no access controls, someone from
evilhackerdudes.org could set up their own IPsec tunnel to those
internal machines. Similarly, if the folks at the other end of the
tunnel can't be trusted (or don't run their machines competently), the
bad guys can go through their machines to reach yours.

There was a fairly egregious example of this latter point on bugtraq
the other day. There's a stock news and ticker service that can use a
VPN to receive its updates. The machine is (according to the poster)
horribly insecure, which means that if one instance is hacked, the
person who penetrated it will have access via its VPN to all other
instances of this service.

Bottom line: these protocols are to create a hole in your firewall to
permit traffic to/from Somewhere. If you trust the Somewhere to be
honest and competent, you're probably safe. Otherwise...

                --Steve Bellovin