Firewall Wizards mailing list archives
Re: Subject: tunnel vs open a hole
From: "D Sanchez" <crypto-map () cox net>
Date: Sun, 6 Apr 2003 18:37:04 -0700
Anton, Interesting.......to tunnel or not to tunnel? Well it really depends on many factors but most importanly is how well you can document the access since undocumented tunneling can become an administrative nightmare and a liability/risk. Simply opening a port to one host inbound may be the easiest way to audit/document the inbound access but may leave you open over that port. If you can authenticate/xauth the access, either tunneled or conduited/open-port-hole with a AAA server on the (trusted) inside that would be even more secure/auditable and if you can put two factors on the Auth/xauth process (token, smartcard etc plus AAA account) that would be even better. Another thing to consider is how friendly is the Firewall to tunneling? PIX is relatively easy to allow tunneled packets over (ie GRE, IPSec, GREover IPSec, SOCKS over SSL..) but some firewalls are a real pain to tunnel over, like Raptor etc. since they see datagrams/segments as if they were convert channeling. Also some tunneling protocols have issues with NAT or PAT so you should keep this in mind also if indeed you're translating addresses (outside or inside) on the firewall, you may just have to deny NAT for the hosts involved which is also easier on the PIX than other products. I prefer tunneling and tunneling with 2-factor xauth if possible but this is always a more complex solution that would require increased administration/documentation. Then again i would like to see IPSec on everything so I may be a bit biased. dan sanchez CISSP _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Subject: tunnel vs open a hole D Sanchez (Apr 08)