Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: incoming NAT/PATs for VPN users

From: Dave Piscitello <dave () corecom com>
Date: Mon, 12 Feb 2007 10:01:35 -0500
I find it's much easier to design solutions for this kind of requirement at the user rather than network/host level.
We designed SSL VPNs to handle this kind of requirement for companies as large as DuPont and as small as 250 employees. Essentialy our clients wanted a per object authorization (e.g., a web page, a file share) and they want to create groups (employees within a partner company, supply chain providers, customers) that are authorized to access this object (or set of objects). Most SSL VPN products we've used and recommended allow different authentication methods for user groups, so you can have 2-factor for employees, UIPW for supply chain or customers, etc. 

Brian Loe wrote:

Lets say company A has a customer, company B. Company A needs to
provide access to several (lets say many) resources within its network
to a thousand or so employees at company B. Seems to me that you could
simply PAT all of company B's connections when they arrive and the
magic of networking should get them routed to the resources you've
allowed them and back without any problem. Is there something I'm
missing here?

Is an incoming PAT not available on, for instance, an ASA? What about
a PIX at 6.x or 7.x? What about incoming NAT pools for over a thousand
possible users? Anything change if they're physically coming in on a
DMZ port as opposed to the outside port - and needing access to
resources in another, lower DMZ port (don't ask why a VPN customer
would be trusted more than company A's web servers, that's just how it
is in this virtual company)?

I know we're not alone in providing VPN access to customers but I'm
virtually convinced everyone else is doing it better. I'm just hunting
real world examples of the "right way" of doing it.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Attachment: dave.vcf
Description:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: