[fw-wiz] Secure access to LAN resources (WAS: terminal services)

From: Behm, Jeffrey L. (BehmJL@bvsg.com)
Date: 01/28/03

From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jan 28 16:28:18 2003

Hi Paul,

On Tue, 28 Jan 2003 proberts@patriot.net wrote:

> On Tue, 28 Jan 2003 natfirewall@netscape.net wrote:
> > Greetings,
> >
> > I am being asked to open port 3389 on our Corporate firewall and
> > direct incoming traffic on that port to a specific IP on
> our internal
> > network. Being the paranoid that I am, I do not want to do
> this but I
> I wouldn't do that for any money.

I thought everyone had a "price." ;-)

> Wes is right, a VPN is the right answer here. Without it,
> you don't have
> any protection for the machine, the protocol, or even against a DoS
> attack.
Wouldn't having a VPN simply _move_ the DoS to another machine/system, not
protect against it? My understanding is that VPN protects the data via
encrypted tunnel. Just because the data is encrypted doesn't imply it is
_desirable._ I suppose if you limit who can talk in the tunnel, then that
would help...is that what you are getting at?

While on this subject, but down a different and more general tangent...
Any opinions/gotcha's/don't do's/do do's <-yuck/etc. on using
products/appliances such as Aventail or Neoteris as a _secure_ way to allow
employees and/or external clients/partners into resources on your LAN? These
devices supposedly create a VPN tunnel using SSL for encryption, which is
allowed out through most companies firewalls and allows the outsider to
connect to this DMZ appliance which, in turn, allows/denies access to LAN
resources based on authenticated users and the rulesets configured by the

(Aside: This may help lessen the support calls but opens up other issues,
such as "Does the other company know their computers are being connected to
your company's LAN? I.E. What are the legal and/or ethical ramifications?)

Is there such a thing as _secure_ access to LAN resources over the Internet?

All opinions/experiences greatly appreciated. Feel free to respond off list,
if desired, so it doesn't turn into a religious war. I'm not looking for a
sales pitch, just real-world experiences/opinions.


Relevant Pages

  • Re: VPN routing from NAT to NAT
    ... if you are willing to lose all LAN connectivity while on ... the VPN, you can perhaps coexist on the same subnet.. ... If you are both using the same private network for your LANs, ... >VPN adapter, because that address is now bound to the VPN adapter and ...
  • Re: Multi-homed server and VPN
    ... The idea was to separate the LAN traffic from the VPN ... bound for the Internet go to the gateway, ... I have as the router ...
  • Re: VPN & firewalls question
    ... What types of things do your remote clients need to do after they ... If the need access to their WinXP Pro LAN computers, create a VPN and fire ...
  • Re: Routes
    ... succeed with the original requirements because it won't limit LAN access to the ... access to only the Terminal Server by using something like ISA,...once the user ... I will allow full network access to the VPN clients. ... terminate at the servers and no further into the LAN. ...
  • Re: IPSEC routing ?
    ... the Tunnel only see the "outside" of the Tunnel,...nothing sees the inside ... Site-to-Site VPN and Remote Access VPN act totally different..... ... This means the VPN Router behaves just like a regular LAN ...