Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How vulnerable is a VPN Concentrator exposed to the Internet?

Has anyone looked into what ports the public interface is listening to? Are there any inherent vulnerabilities to having it exposed. I've seen diagrams that suggest placing the concentrator in parallel with the firewall. Obviously, this leaves the public interface exposed. This leads to me wonder the original question.

5 REPLIES
New Member

Re: How vulnerable is a VPN Concentrator exposed to the Internet

The Concentrator is configurable as to what ports it is listening on. You could configure the Public Filter to only listen for IPSec packets. That is just a secure as putting it on a DMZ and allowing IPsec through the Firewall.

There are always vulnerabilities when connected to the Internet...

New Member

Re: How vulnerable is a VPN Concentrator exposed to the Internet

Maybe I'm missing something. The problem I see is this: yes you can turn off various protocols, but there is no granularity to turn them off by interface, only globally. The management protocols are helpful to have on internally, but I would like to be able to disable them on the external interface.

New Member

Re: How vulnerable is a VPN Concentrator exposed to the Internet

You have all the granularity you want. There is a different filter for each interface on the Concentrator. You can use the default rules or build your own. You have full control of Management access.

New Member

Re: How vulnerable is a VPN Concentrator exposed to the Internet

Put the concentrator in parallel with your firewall, then use ACLs at your router to only allow IPSEC traffic to your concentrator address.

That is about as secure as you can get. If you want, you can also enable rate-limiting at the router to help protect against DoS attacks as well.

New Member

Re: How vulnerable is a VPN Concentrator exposed to the Internet

thanks, I like your idea.

103
Views
0
Helpful
5
Replies