RE: VPN architecture for POCKET PC

["Gary Freeman" <Gary.Freeman () rci rogers com>]

> 1.   is there a way to limit users outside , and not to allow
> any tcp 50 and udp 500 "my client vpn is a pocket pc"

That all depends on the addresses that the users will be connecting
from.  If the PPC users are using an address space that you manage to
connect to the Internet then, yes, you can limit the firewall to only
allow that address range.

> 2.  why do you specify 50 and 500 udp

I was making a wild guess that you would be using VPN through standard
IPSEC. IPSEC requires ports to be opened on the firewall to allow
incoming IPSEC traffic.  Generally, the IPSEC protocol suite is made up
of ESP, Encapsulating Security Payload, known as Protocol 50 (not
TCP-50, TCP is protocol 6) and AH, IP Authentication Header, known as
Protocol 51. Both of these protocols work at the transport layer.  Once
the VPN peers have negotiated and selected an algorithm for encrypting
the tunnel (known as Phase 1), they then have to negotiate the level of
encryption for the payload.  This is known as Phase 2, or ISAKMP,
Internet Security Association and Key Management Protocol.  ISAKMP is
UDP 500.

There are many variations of the IPSEC iteration including L2TP, PPTP,
GRE, SSL, TLS, ad nauseam. To learn more about the IP suite of protocols
go to http://www.networksorcery.com/enp/protocol/isakmp.htm

> 3.  could you please explain for me this point you have wrote:
> Users connecting can get a local address from a routable
> address pool within your DMZ

Generally, when you connect across the internet with ESP from a client
to a VPN device you establish phase 1 with your public Internet address.
Phase 2 is where Security Associations (SAs) and private IP addressing
is assigned.  Your VPN device will give a VPN client a address and
routing table that can be used to connect to the private LAN.  This is
the DHCP pool that you must assign to your VPN device.  In your case it
should be an address space that isn't being used in your network because
it's sitting in the DMZ

 VPN Client
     |
     |
  INTERNET
     |
     | - uses public IP
     |
 VPN DEVICE
     |
     | - uses DMZ IP (read RFC1918)
     |
  FIREWALL
     |
     | - Gets NAT'd to private IP (read RFC1918)
     |
 PRIVATE LAN

Here's a good link to get you started:
http://vpn.shmoo.com/

Just Google VPN+DMZ+Firewall and see what you come up with.

Cheers,

Gary Freeman
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************


-----Original Message-----
From: hassan hani [mailto:amni___ () hotmail com] 
Sent: Wednesday, December 01, 2004 1:03 PM
To: Gary Freeman
Subject: RE: VPN architecture for POCKET PC

Hi Gary

thanks you for you answer,
i find your answer is very intersting

i have some questions:

1.   is there a way to limit users outside , and not to allow any tcp 50
and 
udp 500
"my client vpn is a pocket pc"

2.  why do you specify 50 and 500 udp

3.  coul you please explain for me this point you have wrote:

Users connecting can get a local address from a routable address pool
> within your DMZ


4.do you have a concrete document or documentation with examples of
maerial 
and software of vpn in a such architecture


thanks you very much






> From: "Gary Freeman" <Gary.Freeman () rci rogers com>
> To: "hassan hani" <amni___ () hotmail com>, 
> <security-basics () securityfocus com>
> Subject: RE: VPN architecture for POCKET PC
> Date: Wed, 1 Dec 2004 10:29:35 -0500
>
> Hi Hassan,
>
> I would place the VPN concentrator into the presentment DMZ and only
> allow access to the VPN device from ANY using Protocol 50 and UDP 500.
> Users connecting can get a local address from a routable address pool
> within your DMZ and then have the VPN assign a routing table to allow
> them to only access addresses that are on your LAN via the inside
> interface on the presentment firewall.  The second firewall, facing
your
> LAN can then permit only the VPN pool addresses in and NAT them to
> services on the inside.
>
> Gary Freeman
> ********************************************
> This transmission may contain information
> that is privileged, confidential and/or
> exempt from disclosure under applicable law.
> If you are not the intended recipient,
> do not read the contents and
> delete it immediately.
> ********************************************
>
>
> -----Original Message-----
> From: hassan hani [mailto:amni___ () hotmail com]
> Sent: Tuesday, November 30, 2004 1:37 PM
> To: security-basics () securityfocus com
> Subject: VPN architecture for POCKET PC
>
>
> we have tHIS ARCHITECTURE in our network
>
>
> LAN -------------FW1 ----------FW2------------Internet
>                                |
>                                |
>                               dMZ
>
>
>
> we want to implement a vpn for a usage only between a server in the LAN
> and
> the Pocket PC .
>
> the pocket PC sould be connected to GPRS .
>
> my question is:
>
> where the VPN Gateway should be placed in the architecture above to
> permit
> security?
>
> how to be sure that there will be no intrusion?