[fw-wiz] VPN lockdown by dynamic IP?
From: Robert Fenerty (robert_at_fenerty.com)
Date: 12/05/03
- Previous message: Keith Anderson: "[fw-wiz] PIX DMZ inter-access via outside IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Fri, 5 Dec 2003 10:33:13 -0800
Hi,
I have setup an end to edge VPN to an office, and I'm trying to add an
extra layer of security. The office has a Cisco PIX 501 running 6.3(3)
and the users have version 3.6.6 of the Cisco VPN client.
I'd like to add an access list that only allows certain IP addresses to
VPN into the office. This would be trivial if the source IPs were
static. But the inbound connections will come from laptops that will be
connected to home networks with dynamic IPs. There are only a handful
of users, all technically savvy.
So here's what I'm thinking. Get each user to run one of these clients:
http://www.dyndns.org/services/dyndns/clients.html
These free clients update a centralized DNS. The TTL is low, so changes
to the IP are reflected fairly quickly.
So, (if possible) I'd like to setup an ACL that only allows VPN access
to, say, user1.dyndns.org. Hopefully, the IP wouldn't change during the
VPN session if the user's DHCP lease expires! Has anyone implemented a
scheme like this? Is it a lousy idea?
Another alternative is to lockdown by the address space of the user's
home ISP, which is less flexible; you can't VPN in if you take your
laptop to Paris. But at least this alternative would vastly decrease
the attack pool, if you follow me.
Thanks,
Robert
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Keith Anderson: "[fw-wiz] PIX DMZ inter-access via outside IP address"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
