Q: Cisco Site to Site VPN

New week a new question, in this case the question is a bit more generic and I believe raises a few dilemmas, feel free to take a shot at it:

Hi Experts,

Is it secure to just configure Cisco IPSEC/GRE site to site tunnel without firewall/IPS/IDS. The argument here is although it is internet facing, there is only a host to host routing between the routers and the default route goes to the tunnel. Am I right to say that it is technically secure since the router only route traffic between the designated routers?

Thanks in advance.

J. O.

  • http://www.tssci-security.com Andre Gironda

    No, but don’t make me release this IOS shellcode package with battery of working exploits for MetaSploit in order to prove the point.

    Also see: MPLS PE routers and the work by Enno Rey.

    Also see: ike-scan, ikeprobe.

    Also see: OSVDB.org

  • dave

    are you suggesting that router A implements only a host route for router B that points to upstream ISP router; and the same is true for the remote end router (if the remote end doesn’t have firewalls, etc..)?

    if so, then this solution offers certainly more protection than a default route to the upstream ISP router.

    is it secure? sure, but then that’s all relative…

    however, this solution does not prevent packets from reaching your router, this only prevents replies from reaching the attacker (assuming the attacker is not originating from or through router A or B).

    this also does not protect your router from internal attacks, or sideways attacks (attacks originated from within the same broadcast domain).

    all-in-all this solution limits your exposure somewhat from the big bad internet. though as stated packets with the evil bit set can still reach your router, and possibly cause havoc.

    lastly, i’m not sure how large your IT organization is but you will certainly want to make it known through diagrams and documentation that the security of your solution relies on not setting a default route.