Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
0
Helpful
1
Replies

ESP Protocol – Administrative Cost verses Risks

rschwirtz
Level 1
Level 1

‎07-08-2002 10:57 AM - edited ‎03-08-2019 11:27 PM

We have users who are on our private network behind our PIX 520. Users can connect to our clients PIX firewalls using the Cisco VPN Client if we perform the following steps:

1. Reserve a private IP address for their workstation on the DHCP server.

2. Statically assign a public IP address to the private IP address reserved.

3. Create a conduit allowing the ESP protocol from the clients’ public IP address on their PIX to the public IP address setup in step 2.

Question- what are the risks if ESP protocol were opened from any public IP address to any host behind our PIX? I am not comfortable opening this up but have not been able to find any details regarding potential risks that have satisfied management. Any help would be welcome. Thanks

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎07-16-2002 07:26 PM

The risks are minimal really, but I'm always hesitant to open any hole in a firewall unless you have to. Opening up ESP to any internal host is really not going to get anyone anywhere, because they first have to establish a tunnel using ISAKMP, so if you don't open that up you'll be pretty safe.

The reason you don't need to create a conduit for ISAKMP (in case you're wondering), is that ISAKMP is a UDP protocol. The PIX automatically creates conduits for TCP or UDP packets as they go out (from inside to outside), and allows those packets to come back in. ESP on the other hand, sits right on top of IP (is not TCP/UDP based),and so the PIX doesn't open a hole for that traffic to come back in, hence you have to specifically create a conduit for it.

As I said though, if you're now talking about traffic originating from the outside and coming in, you've only allowed ESP and not ISAKMP, so the risk of anyone starting a VPN tunnel to an internal host is negligible.

As I also said though, it is another hole in your firewall, so the more secure you can make it, by specifying the source and/or destination addresses, then the better that will be.

0 Helpful
Customers Also Viewed These Support Documents