Re: Security concerns with VPN over IPSEC passthrough

From: Greg Hennessy (nntp@NOSPAM.cmkrnl.cix.co.uk)
Date: 07/22/02 

From: Greg Hennessy <nntp@NOSPAM.cmkrnl.cix.co.uk>
Date: Mon, 22 Jul 2002 21:26:02 +0100

On Mon, 22 Jul 2002 14:38:30 -0400, "JJB"
<103REMOVE-THIS267.1555@compuserve.com> wrote:

>I understand this can be accomplished
>through a corporate firewall if the firewall supports IPSEC passthrough,
>right?

Depends on the VPN server/software. Some support variations of UDP/TCP
encapsulation of IPSEC, so there is no need to support dedicated IPSEC
passthru per ce. Just plain NAT/PAT will do.

>
>My real question is that currently workstations on the private LAN are
>protected by the firewall with all it's security. If the workstation on the
>private LAN has a VPN tunnel to the public Internet server, does this bypass
>all the security that is in place in the corporate firewall

Potentially, if the client is setup with a split tunnel, most definitely.

> in that the
>private workstation is now wide open to anything running on the other end of
>the VPN tunnel? If so this also opens up the entire private LAN, no?

It can do. Where does the tunnel terminate ? On the remote server or on a
remote VPN device ? Do you own and manage that remote VPN device ?

I generally have a pretty simple policy when it comes to running tunnels
through firewalls, the phrase 'you must be joking' comes to mind.

If you are going to provide the access, do on it a dedicated system
physically disconnected from the core LAN. If you dont control both end
points of the tunnel. Dont allow it.

What the business need for needing remote VPN access ?

greg

>
>Appreciate any comments in this area, thanks
>James
>
> 

--
$ReplyAddress =~ s#NOSPAM\.##;
Mein herz brennt...

Relevant Pages

  • Re: More on Remote Desktop
    ... Chances are good, though, that he's already got VPN capabilities on his ... firewall to do it for $100. ... > server at home...or purchase additional/new hardware... ... >> my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: More on Remote Desktop
    ... You realize the Remote Desktop data stream is encrypted the same as a PPTP VPN link... ... Unless of course the original poster wants to implement an L2TP/IPSec VPN server at home...or ... > firewall to get between your clients and server on your own LAN. ... > setup so that my firewall makes the PPPoE connection to my ADSL ISP. ...
    (microsoft.public.windowsxp.network_web)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)
  • Re: Cant logon to computer in SBS Domain..
    ... Does the user can access and log on to the Remote Web Workplace? ... Whether you can connect and log on to the server desktop through RWW? ... On the Firewall page, ensure that Enable firewall is selected. ... About External Firewall VPN ...
    (microsoft.public.windows.server.sbs)
  • Re: Setting up SBS 2000 w/SonicWall Firewall VPN, Need help.
    ... what I'm tyring to do is simply get our VPN to work. ... installed the sonicwall client software on ... pipe from my home to the firewall. ... how to I access the server so I can send/retrieve data? ...
    (microsoft.public.backoffice.smallbiz2000)