Firewall Wizards mailing list archives
RE: Remote access problem
From: scouser () paradise net nz
Date: Fri, 04 Oct 2002 12:13:36 +1200 (NZST)
Thanks Rich I agree with your comments (sad but true) as for some details. The protocol required is a proprietary protocol, it uses two ports plus ephemeral ports for return traffic(it is tcp). The authentication is to be done using 2 factor authentication with the PIX box at their end (which will be using a CA server - probably MS) At this stage they are talking about USB tokens. I am wondering if it would be possible to allow AH only from the VPN client, and then encapsulate this in an ESP tunnel from our gateway. This would mean that traffic on our network would be in the clear (and I can filter it / IDS it) but traffic over the internet would still be encrypted. It would also satisfy their needs to do the authentication between the client and their server. I am extremely unhappy about trusting another network, regardless of who it is. In the end I am responsible for the security of our network and it is my job on the line not theirs. Thanks for your help so far. James Quoting "Gautier . Rich" <RGautier () drc com>:
Sounds to me like you need to put your foot down. Too often, the reason for the DMZ is bypassed because of a business need. People need to understand that security is a business need too. When you open a VPN to someone, you have to be able to trust their security. If you can't trust the other endpoint to have the same security standards that you have, or if you can't trust the endpoint itself (contracting competitor!), you shouldn't be opening a hole through your protections. You can mitigate the risk partly with end-point VPN connections on the desktops themselves, but this still leaves any open holes on those desktops as a vulnerability they can use to try to infiltrate your network. You weren't very specific about the requirements, but I'm sure we might have some suggestions, if you could give us some specifics (i.e. what type of authentication needs to pass, what types of protocols you're talking, etc.) But in the end, I think you've a battle on your hands. As firewall, nay, as SECURITY admins, our responsibility is to protect the network, and allowing a VPN'd user to infect your network with today's virus because he had a 'business need' to connect to something, or because he is inconvenienced, does not sound like something you want to happen. Rich Gautier Dynamics Research Corp Personal Website - http://rgautier.tripod.com Attachment is Public Key for the sender: rgautier () drc com -----Original Message----- From: James X [mailto:scouser () paradise net nz] Sent: Thursday, October 03, 2002 6:12 AM To: 'firewall-wizards () honor icsalabs com' Subject: [fw-wiz] Remote access problem I need ideas for solving a remote access issue. Problem: Users in my organisation require a connection to an application running on a server in a second organisation. The solution they came up with was a IPSec tunnel terminating on a PIX box at their end and the pcs of the users in my organisation. My issues: The tunnel terminates inside my network, therfore I have no way of filtering the traffic in the tunnel. The will be using a cisco VPN client. Users need to be able to communicate with my network while the tunnel is up so I can't just cut them off while they use this facility. The second orgnaisation require the users to authenticate with their server, so I can't just put up a gateway - gateway solution. Any suggestions would be welcome. To add the cream to the cake the timeframe is very tight, infact they only thought my team (network security) might be interested a few weeks before they planned to test this !! (when will people realise that security conerns are best dealt with during design !) _______________________________________________ firewall-wiza rds mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Remote access problem Gautier . Rich (Oct 03)
- RE: Remote access problem scouser (Oct 03)