Firewall Wizards mailing list archives
VPN lockdown by dynamic IP?
From: "Robert Fenerty" <robert () fenerty com>
Date: Fri, 5 Dec 2003 10:33:13 -0800
Hi, I have setup an end to edge VPN to an office, and I'm trying to add an extra layer of security. The office has a Cisco PIX 501 running 6.3(3) and the users have version 3.6.6 of the Cisco VPN client. I'd like to add an access list that only allows certain IP addresses to VPN into the office. This would be trivial if the source IPs were static. But the inbound connections will come from laptops that will be connected to home networks with dynamic IPs. There are only a handful of users, all technically savvy. So here's what I'm thinking. Get each user to run one of these clients: http://www.dyndns.org/services/dyndns/clients.html These free clients update a centralized DNS. The TTL is low, so changes to the IP are reflected fairly quickly. So, (if possible) I'd like to setup an ACL that only allows VPN access to, say, user1.dyndns.org. Hopefully, the IP wouldn't change during the VPN session if the user's DHCP lease expires! Has anyone implemented a scheme like this? Is it a lousy idea? Another alternative is to lockdown by the address space of the user's home ISP, which is less flexible; you can't VPN in if you take your laptop to Paris. But at least this alternative would vastly decrease the attack pool, if you follow me. Thanks, Robert _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN lockdown by dynamic IP? Robert Fenerty (Dec 06)