Firewall Wizards mailing list archives
VPN and NAT
From: "Georges Dupont" <dalong () ifrance com>
Date: Wed, 4 Jun 2003 08:11:51 GMT
Hello, One of our customers is planning to allow roaming users to access its internal systems, through a VPN (and SmartCard/Radius auth). This will mean that the endpoints (laptops and home systems) security must be properly controlled, but it's not my current question. The customer's network is already segmented, IP filtering and proxies at several levels, different DMZ and such. The customer is heavily using NAT, since its internal network uses 'real' IP addresses. The exchanges between inside and DMZ/outgoing proxies gets NATed. Currently, NAT is only "used" for outgoing connexions. Nothing from the outside goes directly anywhere inside. This could change with the VPN, where incoming connexions will reach internal systems. So, my questions relates to how to properly setup this incoming stuff. Filtering is planned, but should we set up proxies in some VPN-related DMZ ? If the need is to reach a few internal systems, we will statically NAT their addresses. This does not ensure security, only reachability. What measures should be taken to secure those connexions ? I must also say there are voices, inside, telling "NAT is be enough do not bother uswith anything else". I do not agree at all, but I need arguments. Tia, -- Georges _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN and NAT Georges Dupont (Jun 04)
- RE: VPN and NAT Ben Nagy (Jun 05)
- Re: VPN and NAT Ravi (Jun 05)