Re: Application requires VPN - How are these handled?

[m p <sumirati () yahoo de>]

 --- Michele Jordan <michele () michelejordan net>
schrieb: 
> I'm curious how others are handling this situation:
>
> Vendor has an application, that requires VPN access
> to the vendor's 
> network.  I am being asked to install this on a
> computer and then pass 
> that VPN traffic through the firewall.  Obviously, I
> am reluctant to 
> create a VPN from a vendor to the inside of the
> corporate network, 
> regardless of the size or name of that vendor.  I am
> suggesting we 
> implement a machine on a DMZ to do this, keeping
> that away from the 
> corporate network.
>
> Other thoughts?

Hi Michele,

we were asked to do the same by a big database vendor.
Let me tell the story:

They were in-house to build a prototype for some
mail-application.
They told the people managing the project "We need a
link via VPN to our company." 
We, the firewall group, said "OK, you go into the DMZ
with a proxy+paketfilter between you and the
prototype. You will tell us beforehand what you want
to do and what for.". (We could not put the prototype
into a DMZ at that time - otherwise both would have
landed in the same). They accepted.
After the VPN worked and they tried to "access" the
system they cried "We can't connect to those windows
shares". We said "You only wanted Terminalservices."

The point was: The developers in-house were not those
who knew that much. They needed help from their
senior-counterparts and they tried to hide it (they
wanted to upload some config and code and make it work
on the prototype system).

Conclusion: If you can, put them into the DMZ.

Marc

__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Bis zu 100 MB Speicher bei http://premiummail.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards