Re: Subject: tunnel vs open a hole

["D Sanchez" <crypto-map () cox net>]

Anton,

Interesting.......to tunnel or not to tunnel?   Well it really depends on
many factors but most importanly is how well you can document the access
since undocumented tunneling can become an administrative nightmare and a
liability/risk.  Simply opening a port to one host inbound may be the
easiest way to audit/document the inbound access but may leave you open over
that port.  If you can authenticate/xauth the access, either tunneled or
conduited/open-port-hole with a AAA server on the (trusted) inside that
would be even more secure/auditable and if you can put two factors on the
Auth/xauth process (token, smartcard etc plus AAA account) that would be
even better.

Another thing to consider is how friendly is the Firewall to tunneling?  PIX
is relatively easy to allow tunneled packets over (ie GRE, IPSec, GREover
IPSec, SOCKS over SSL..) but some firewalls are a real pain to tunnel over,
like Raptor etc. since they see datagrams/segments as if they were convert
channeling.  Also some tunneling protocols have issues with NAT or PAT so
you should keep this in mind also if indeed you're translating addresses
(outside or inside) on the firewall, you may just have to deny NAT for the
hosts involved which is also easier on the PIX than other products.

I prefer tunneling and tunneling with 2-factor xauth if possible but this is
always a more complex solution that would require increased
administration/documentation.  Then again i would like to see IPSec on
everything so I may be a bit biased.

dan sanchez
CISSP


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards