[ previous ] [ next ] [ threads ]
 
 From:  sai <sonicsai at gmail dot com>
 To:  Jim Thompson <jim at netgate dot com>
 Cc:  Bradley Van Peursem <bradley at itelework dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Multiple Vulnerability Issues in Implementations of ISAKMP Protocol
 Date:  Thu, 17 Nov 2005 12:01:45 +0500
http://isc.sans.org/diary.php?storyid=852

How serious is all of this?
The world an the Internet will continue to turn. This issue is however
very important to you if you are using an IPSEC VPN. At this point,
all points to this being a DOS only vulnerability. Your IPSEC
concentrator may reboot or lock up. While this is not as severe as
remote code execution, it can still break a business if critical
network links are impacted.
.
.
.



On 11/15/05, Jim Thompson <jim at netgate dot com> wrote:
> You probably want to turn
> *Negotiation mode:* Aggressive
> off. (That is, you want Negotiation mode: Main)
>
> If you can install packet filters toward the IPSEC peer, that helps too.
>
> The m0n0 documentation probably needs a bit of an update this:
>
> > Negotiation mode: This is the type of authentication security that
> > will be used. Unless you are under close watch by someone with
> > paranormal like craziness, just leave this as aggressive. It is indeed
> > far faster and will insure that your VPN tunnel will rebuild itself
> > quickly and probably won't time out an application if the tunnel was
> > down when the resource on the other end was requested. (more about
> > that under Lifetime)
>
>
> found on: http://doc.m0n0.ch/handbook/ipsec-tunnels.html
>
> probably needs updating to reflect the new information.
> http://www.uniras.gov.uk/niscc/docs/br-20051114-01013.html?lang=en
>
> Jim
>
> Bradley Van Peursem wrote:
>
> >Does this newly publicized ISAKMP IPSEC flaw affect monowall?
> >
> >May be a dumb question, but did not know the answer.
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>