Security Basics mailing list archives
RE: VPN architecture for POCKET PC
From: "Gary Freeman" <Gary.Freeman () rci rogers com>
Date: Wed, 1 Dec 2004 13:50:18 -0500
1. is there a way to limit users outside , and not to allow any tcp 50 and udp 500 "my client vpn is a pocket pc"
That all depends on the addresses that the users will be connecting from. If the PPC users are using an address space that you manage to connect to the Internet then, yes, you can limit the firewall to only allow that address range.
2. why do you specify 50 and 500 udp
I was making a wild guess that you would be using VPN through standard IPSEC. IPSEC requires ports to be opened on the firewall to allow incoming IPSEC traffic. Generally, the IPSEC protocol suite is made up of ESP, Encapsulating Security Payload, known as Protocol 50 (not TCP-50, TCP is protocol 6) and AH, IP Authentication Header, known as Protocol 51. Both of these protocols work at the transport layer. Once the VPN peers have negotiated and selected an algorithm for encrypting the tunnel (known as Phase 1), they then have to negotiate the level of encryption for the payload. This is known as Phase 2, or ISAKMP, Internet Security Association and Key Management Protocol. ISAKMP is UDP 500. There are many variations of the IPSEC iteration including L2TP, PPTP, GRE, SSL, TLS, ad nauseam. To learn more about the IP suite of protocols go to http://www.networksorcery.com/enp/protocol/isakmp.htm
3. could you please explain for me this point you have wrote: Users connecting can get a local address from a routable address pool within your DMZ
Generally, when you connect across the internet with ESP from a client to a VPN device you establish phase 1 with your public Internet address. Phase 2 is where Security Associations (SAs) and private IP addressing is assigned. Your VPN device will give a VPN client a address and routing table that can be used to connect to the private LAN. This is the DHCP pool that you must assign to your VPN device. In your case it should be an address space that isn't being used in your network because it's sitting in the DMZ VPN Client | | INTERNET | | - uses public IP | VPN DEVICE | | - uses DMZ IP (read RFC1918) | FIREWALL | | - Gets NAT'd to private IP (read RFC1918) | PRIVATE LAN Here's a good link to get you started: http://vpn.shmoo.com/ Just Google VPN+DMZ+Firewall and see what you come up with. Cheers, Gary Freeman ******************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, do not read the contents and delete it immediately. ******************************************** -----Original Message----- From: hassan hani [mailto:amni___ () hotmail com] Sent: Wednesday, December 01, 2004 1:03 PM To: Gary Freeman Subject: RE: VPN architecture for POCKET PC Hi Gary thanks you for you answer, i find your answer is very intersting i have some questions: 1. is there a way to limit users outside , and not to allow any tcp 50 and udp 500 "my client vpn is a pocket pc" 2. why do you specify 50 and 500 udp 3. coul you please explain for me this point you have wrote: Users connecting can get a local address from a routable address pool
within your DMZ
4.do you have a concrete document or documentation with examples of maerial and software of vpn in a such architecture thanks you very much
From: "Gary Freeman" <Gary.Freeman () rci rogers com> To: "hassan hani" <amni___ () hotmail com>, <security-basics () securityfocus com> Subject: RE: VPN architecture for POCKET PC Date: Wed, 1 Dec 2004 10:29:35 -0500 Hi Hassan, I would place the VPN concentrator into the presentment DMZ and only allow access to the VPN device from ANY using Protocol 50 and UDP 500. Users connecting can get a local address from a routable address pool within your DMZ and then have the VPN assign a routing table to allow them to only access addresses that are on your LAN via the inside interface on the presentment firewall. The second firewall, facing
your
LAN can then permit only the VPN pool addresses in and NAT them to services on the inside. Gary Freeman ******************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, do not read the contents and delete it immediately. ******************************************** -----Original Message----- From: hassan hani [mailto:amni___ () hotmail com] Sent: Tuesday, November 30, 2004 1:37 PM To: security-basics () securityfocus com Subject: VPN architecture for POCKET PC we have tHIS ARCHITECTURE in our network LAN -------------FW1 ----------FW2------------Internet | | dMZ we want to implement a vpn for a usage only between a server in the LAN and the Pocket PC . the pocket PC sould be connected to GPRS . my question is: where the VPN Gateway should be placed in the architecture above to permit security? how to be sure that there will be no intrusion?
Current thread:
- RE: VPN architecture for POCKET PC Gary Freeman (Dec 01)
- <Possible follow-ups>
- RE: VPN architecture for POCKET PC Trevor Cushen (Dec 01)
- RE: VPN architecture for POCKET PC Gary Freeman (Dec 02)
- RE: VPN architecture for POCKET PC Ghaith Nasrawi (Dec 02)