VPN and NAT

["Georges Dupont" <dalong () ifrance com>]

Hello,

One of our customers is planning to allow roaming users to access its
internal systems, through a VPN (and SmartCard/Radius auth). This will
mean that the endpoints (laptops and home systems) security must be
properly controlled, but it's not my current question.
The customer's network is already segmented, IP filtering and proxies at
several levels, different DMZ and such.
The customer is heavily using NAT, since its internal network uses
'real' IP addresses. The exchanges between inside and DMZ/outgoing
proxies gets NATed.
Currently, NAT is only "used" for outgoing connexions. Nothing from the
outside goes directly anywhere inside. This could change with the VPN,
where incoming connexions will reach internal systems.
So, my questions relates to how to properly setup this incoming stuff.
Filtering is planned, but should we set up proxies in some VPN-related
DMZ ? If the need is to reach a few internal systems, we will statically
NAT their addresses. This does not ensure security, only reachability.
What measures should be taken to secure those connexions ?
I must also say there are voices, inside, telling "NAT is be enough do
not bother uswith anything else". I do not agree at all, but I need
arguments.

Tia,
-- Georges

_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards