RE: [fw-wiz] Remote access problem

Date: 10/03/02

To: "Gautier . Rich" <>
Date: Thu Oct  3 20:14:16 2002

Thanks Rich
I agree with your comments (sad but true)
as for some details.
The protocol required is a proprietary protocol, it uses two ports plus
ephemeral ports for return traffic(it is tcp).
The authentication is to be done using 2 factor authentication with the PIX
box at their end (which will be using a CA server - probably MS)
At this stage they are talking about USB tokens.

I am wondering if it would be possible to allow AH only from the VPN client,
and then encapsulate this in an ESP tunnel from our gateway.
This would mean that traffic on our network would be in the clear (and I can
filter it / IDS it) but traffic over the internet would still be encrypted. It
would also satisfy their needs to do the authentication between the client and
their server.

I am extremely unhappy about trusting another network, regardless of who it
is. In the end I am responsible for the security of our network and it is my
job on the line not theirs.

Thanks for your help so far.

Quoting "Gautier . Rich" <>:

> Sounds to me like you need to put your foot down. Too often, the reason
> for the DMZ is bypassed because of a business need. People need to
> understand that security is a business need too. When you open a VPN to
> someone, you have to be able to trust their security. If you can't
> trust the other endpoint to have the same security standards that you
> have, or if you can't trust the endpoint itself (contracting
> competitor!), you shouldn't be opening a hole through your protections.
> You can mitigate the risk partly with end-point VPN connections on the
> desktops themselves, but this still leaves any open holes on those
> desktops as a vulnerability they can use to try to infiltrate your
> network.
> You weren't very specific about the requirements, but I'm sure we
> might have some suggestions, if you could give us some specifics (i.e.
> what type of authentication needs to pass, what types of protocols
> you're talking, etc.)
> But in the end, I think you've a battle on your hands. As firewall,
> nay, as SECURITY admins, our responsibility is to protect the network,
> and allowing a VPN'd user to infect your network with today's virus
> because he had a 'business need' to connect to something, or because he
> is inconvenienced, does not sound like something you want to happen.
> Rich Gautier
> Dynamics Research Corp
> Personal Website -
> Attachment is Public Key for the sender:
> -----Original Message-----
> From: James X []
> Sent: Thursday, October 03, 2002 6:12 AM
> To: ''
> Subject: [fw-wiz] Remote access problem
> I need ideas for solving a remote access issue.
> Problem:
> Users in my organisation require a connection to an application running
> on a server in a second organisation.
> The solution they came up with was a IPSec tunnel terminating on a PIX
> box at their end and the pcs of the users in my organisation.
> My issues:
> The tunnel terminates inside my network, therfore I have no way of
> filtering the traffic in the tunnel. The will be using a cisco VPN
> client.
> Users need to be able to communicate with my network while the tunnel
> is
> up so I can't just cut them off while they use this facility.
> The second orgnaisation require the users to authenticate with their
> server, so I can't just put up a gateway - gateway solution.
> Any suggestions would be welcome.
> To add the cream to the cake the timeframe is very tight, infact they
> only thought my team (network security) might be interested a few weeks
> before they planned to test this !! (when will people realise that
> security conerns are best dealt with during design !)
> _______________________________________________
> firewall-wiza rds mailing list
> lman/listinfo/firewall-wizards

Relevant Pages

  • security questions
    ... Which one of the following security tools allows administrators to easily ... What type of virus typically infects documents created by productivity ... When planning a threat control strategy for a network, ... What is the major barrier to the widespread use of biometric authentication ...
  • RE: 802.1x was: [fw-wiz] IPv6 comes in the game
    ... I don't think anyone here is implying that 802.1x authentication is the ... end-all method to securing a it wireless or not. ... in conjunction with a security policy that allows ... where I physically plug it in (it's logical place in the network scheme, ...
  • Re: [SLE] Duelling SAMBAs
    ... >>Lastly, SAMBA requires authentication, while NFS does not. ... >network is insecure ... ... NIS has very weak security. ...
  • Re: unchecking "simple" file sharing
    ... >a non-domain controlled network, I would appreciate it. ... and the increased security will probably save a lot of grief. ... and is selectable on XP Pro. ... With workgroup authentication, you have to have each account on each ...
  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...