[fw-wiz] Secure access to LAN resources (WAS: terminal services)

From: Behm, Jeffrey L. (BehmJL@bvsg.com)
Date: 01/28/03


From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jan 28 16:28:18 2003

Hi Paul,

On Tue, 28 Jan 2003 proberts@patriot.net wrote:

> On Tue, 28 Jan 2003 natfirewall@netscape.net wrote:
> > Greetings,
> >
> > I am being asked to open port 3389 on our Corporate firewall and
> > direct incoming traffic on that port to a specific IP on
> our internal
> > network. Being the paranoid that I am, I do not want to do
> this but I
>
> I wouldn't do that for any money.

I thought everyone had a "price." ;-)

> Wes is right, a VPN is the right answer here. Without it,
> you don't have
> any protection for the machine, the protocol, or even against a DoS
> attack.
>
Wouldn't having a VPN simply _move_ the DoS to another machine/system, not
protect against it? My understanding is that VPN protects the data via
encrypted tunnel. Just because the data is encrypted doesn't imply it is
_desirable._ I suppose if you limit who can talk in the tunnel, then that
would help...is that what you are getting at?

While on this subject, but down a different and more general tangent...
Any opinions/gotcha's/don't do's/do do's <-yuck/etc. on using
products/appliances such as Aventail or Neoteris as a _secure_ way to allow
employees and/or external clients/partners into resources on your LAN? These
devices supposedly create a VPN tunnel using SSL for encryption, which is
allowed out through most companies firewalls and allows the outsider to
connect to this DMZ appliance which, in turn, allows/denies access to LAN
resources based on authenticated users and the rulesets configured by the
admin.

(Aside: This may help lessen the support calls but opens up other issues,
such as "Does the other company know their computers are being connected to
your company's LAN? I.E. What are the legal and/or ethical ramifications?)

Is there such a thing as _secure_ access to LAN resources over the Internet?

All opinions/experiences greatly appreciated. Feel free to respond off list,
if desired, so it doesn't turn into a religious war. I'm not looking for a
sales pitch, just real-world experiences/opinions.

Thanks