[AusNOG] Cisco ASA - CVE-2016-1287 - Busy Night ahead
Roland Dobbins
rdobbins at arbor.net
Sun Feb 14 17:20:54 EST 2016
On 14 Feb 2016, at 13:08, Paul Wilkins wrote:
> Which is to say, if your firewall grants external access to the
> control
> plane, you perhaps have larger issues.
IKE is necessary for IPSEC VPN connections. It is transmitted/received
in-line in the data plane.
The devices in question are often utilized as IPSEC VPN concentrators.
While one ought to have iACLs which limit source IP address access to
configured site-to-site VPN endpoints, many organizations don't do this.
Also, if the device in question is being utilized as an IPSEC VPN
concentrator for an ambulatory user population, this isn't possible.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the AusNOG
mailing list