[fw-wiz] VPN and NAT

From: Georges Dupont (dalong_at_ifrance.com)
Date: 06/04/03

Next message: Ahmed, Balal: "[fw-wiz] PIX static NAT issue"

Previous message: Dario Calia: "RE: [fw-wiz] PIX501 PAT and Static NAT problems"
Next in thread: Ben Nagy: "RE: [fw-wiz] VPN and NAT"
Reply: Ben Nagy: "RE: [fw-wiz] VPN and NAT"
Reply: Ravi: "Re: [fw-wiz] VPN and NAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@icsalabs.com>
Date: Wed, 4 Jun 2003 08:11:51 GMT

Hello,

One of our customers is planning to allow roaming users to access its
internal systems, through a VPN (and SmartCard/Radius auth). This will
mean that the endpoints (laptops and home systems) security must be
properly controlled, but it's not my current question.
The customer's network is already segmented, IP filtering and proxies at
several levels, different DMZ and such.
The customer is heavily using NAT, since its internal network uses
'real' IP addresses. The exchanges between inside and DMZ/outgoing
proxies gets NATed.
Currently, NAT is only "used" for outgoing connexions. Nothing from the
outside goes directly anywhere inside. This could change with the VPN,
where incoming connexions will reach internal systems.
So, my questions relates to how to properly setup this incoming stuff.
Filtering is planned, but should we set up proxies in some VPN-related
DMZ ? If the need is to reach a few internal systems, we will statically
NAT their addresses. This does not ensure security, only reachability.
What measures should be taken to secure those connexions ?
I must also say there are voices, inside, telling "NAT is be enough do
not bother uswith anything else". I do not agree at all, but I need
arguments.

Tia,
-- Georges

_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Ahmed, Balal: "[fw-wiz] PIX static NAT issue"

Previous message: Dario Calia: "RE: [fw-wiz] PIX501 PAT and Static NAT problems"
Next in thread: Ben Nagy: "RE: [fw-wiz] VPN and NAT"
Reply: Ben Nagy: "RE: [fw-wiz] VPN and NAT"
Reply: Ravi: "Re: [fw-wiz] VPN and NAT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

ASA Hairpin routing w/NAT
... I currently have an old vpn concentrator and a pix515that we ... to-site vpn to support our customers. ... I've gotten the hairpin routing to work with no nat. ...
(comp.dcom.sys.cisco)
RE: Network Address Translation insecurities
... otherwise circumvent NAT and gain access to internal systems. ... Subject: Network Address Translation insecurities ... All NAT is going to do is protect your internal IP addresses from ... In order to justify doing vulnerability ...
(Security-Basics)
Re: ot: paging Ginge and YTC
... doesn't fuck up all of my customers by stopping their software working, ... its not just our internal systems then ..... ...
(uk.rec.motorcycles)