[Plug-security] VPN thru IPCHAINS

Furmanek, Greg plug-security@lists.PLUG.phoenix.az.us
Fri, 20 Jul 2001 10:43:28 -0400


I am having the same problem.

If you are using IPSec with AH and
masquerading the trafic it is impossible because IPsec
is using hash of the IP in its authentication.

Greg

-----Original Message-----
From: Dave Chacko [mailto:dave@chacko.org]
Sent: Thursday, July 19, 2001 8:19 PM
To: plug-security@lists.PLUG.phoenix.az.us
Subject: [Plug-security] VPN thru IPCHAINS


Does anyone know of a way to forward VPN traffic through a IPCHAINS firewall
(ex. Pmfirewall) from two Windows domains?  I can get the workstations to
connect, but have problems authenticating.  Any suggestions would be greatly
appreciated.

Thanks.

Dave

-----Original Message-----
From: plug-security-admin@lists.PLUG.phoenix.az.us
[mailto:plug-security-admin@lists.PLUG.phoenix.az.us]On Behalf Of
plug-security-request@lists.PLUG.phoenix.az.us
Sent: Tuesday, July 17, 2001 12:01 PM
To: plug-security@lists.PLUG.phoenix.az.us
Subject: Plug-security digest, Vol 1 #31 - 1 msg


Send Plug-security mailing list submissions to
	plug-security@lists.PLUG.phoenix.az.us

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
or, via email, send a message with subject or body 'help' to
	plug-security-request@lists.PLUG.phoenix.az.us

You can reach the person managing the list at
	plug-security-admin@lists.PLUG.phoenix.az.us

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Plug-security digest..."


Today's Topics:

   1. Re: Something to look at. (foodog)

--__--__--

Message: 1
Date: Tue, 17 Jul 2001 20:45:20 -0700
From: foodog <foodog@pop.phnx.uswest.net>
To: plug-security@lists.PLUG.phoenix.az.us
Subject: Re: [Plug-security] Something to look at.
Reply-To: plug-security@lists.PLUG.phoenix.az.us

Kit Plummer wrote:
>
> Cool!  Though, I am not sure I understand why you would need the IS at
> the kernel level.  It seems like it makes more sense at the network
> level as the ISes are typically found vice tripwire.

There are some advantages.  You can monitor/control what other modules
get loaded, hide processes and files.  As long as you're sure that your
module is loaded on a clean system, you can control any details that you
care to.  You could, for example, hide all evidence that you're running
tripwire.

There was a presentation at Black Hat on a kernel mod called fnord that
does everything listed above, plus hidden (and encrypted, I think)
logging to a remote host, hiding processes with a particular environment
string set or by UID, hiding all visible evidence of connections to/from
particular hosts (unless you've got the secret environment string).
They hook and filter all file activity, removing references to hidden
things, make invisible backup copies when files are modified or deleted,
etc. etc.  Really extensive paranoidware.  Unfortunately, during the Q&A
it came out that their employer won't release the source or binaries for
it...  I was bummed.

>
> Did you go to DEF CON?

Yup, this was my second year for Black Hat and DEF CON.  It was really
interesting, and there were an alarming number of normal-looking and
older people this year.  Non-feds even.  I'm kinda poor now, not really
interested in drinking again for awhile, but looking forward to next
year :-)

>
> Kit

>
> On 17 Jul 2001 00:44:54 -0700, foodog wrote:
> > KIS, kernel intrusion system.  An arguably gray hat kernel module was
> > presented at DEF CON Saturday.  It's for Linux kernel versions 2.2.x -
> > 2.4.x.  It's available for download now from uberhax0r.net/kis/
> >
> > I mention it for 2 reasons.  1st, I think it has serious potential as
> > part of an intrusion detection solution; the author expressed interest
> > in how the security community reacts.  2nd, I think it's a good plan to
> > learn about it. It's friendly enough that the kiddies will *love* it.
> > The client can be GUI-driven, and it has brief, usable docs.
> >
> > The docs barely scratch the capabilities, BTW.  The author, Optyx, is
> > talented.
> > Regards,
> > Steve
> > _______________________________________________
> > Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
> >
>
> _______________________________________________
> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security


--__--__--

_______________________________________________
Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security


End of Plug-security Digest

_______________________________________________
Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security


"The sender believes that this E-mail and any attachments were free of any
virus, worm, Trojan horse, and/or malicious code when sent.  This message
and its attachments could have been infected during transmission.  By
reading the message and opening any attachments, the recipient accepts full
responsibility for taking protective and remedial action about viruses and
other defects.  The sender's employer is not liable for any loss or damage
arising in any way from this message or its attachments."