secure remote access and firewalls

[Colin Horsington <c.horsington () aas com au>]

Dear Firewall-users

Recently their has been a requirement to link up securely some remote
branches. To do this it has been proposed to use firewalls not to do VPN in
the strict sense of the word, but to implement packet filtering effects to
limit access to the remote machines.

For example let's say branch A wishes for branch B to see computer X. Both
branch A and B have firewalls. Branch A places (or using NAT gives) computer
a real IP outside the branch A's firewall. But since anyone can now access
this real IP, an upstream packet filter (firewall) is placed amid the
traffic stream. Effectively blocking (using rules) anyone accessing
restricted real IP addresses down stream (ie at branch A). Similiarly branch
B would use the same methodolgy.

This schema is replicated for upto 4 branches that wish to restrict access
to particular computers and the internet in general without comprimising
security to much.

-------------------       -----------------        -----------------
------------------------------
-----------------------------------------
| Branch A   |-------| Firewall A |--------| real IP's  |----------------|
Firewall B filtering  |----------------------| Internet -> other branches |
-------------------       -----------------        -----------------
------------------------------
-----------------------------------------

Does this have any security implications besides un-encrypted packets
travelling over the public network. If so what other methods could be used
considering every branch does not want to change it's current infrastrucure
much, and does not want to have to use a specific firewall for firewall A
nor chnage what they have, and firewall B may also be a different box at
every location!

Also if a 'VPN' were to be used how could one be setup between all branches
as one vpn, rather than having nxn (n squared) vpn's.

Kind regards,

Colin Horsington