Re: Do VPN connections effectively bypass Firewalls?

From: David (davidwnh_at_adelphia.net)
Date: 09/26/03 

Date: Fri, 26 Sep 2003 20:46:43 GMT

You need to use a host based firewall installed on the VPN client machine.
Some VPN clients have built in firewalls which are best from the remote
network's point of view because that often allows the network admins to have
administrative control over the configurations. They also work rather
seamlessly compared to standalone host based firewalls. Some standalone
desktop firewalls work with certain types of VPNs; some that do work with
VPN clients allow you to effectively filter the VPN traffic, some don't.

Your example does not show what really happens. The initial packets would
use a source address in the packet header which corresponds to the DHCP
assigned address of your VPN adapter and a dest. address corresponding to
the internal network address of the destination machine at other end. The
vpn client software then takes and encrypts the entire packet including the
headers and adds its own headers which include a source address of your
internet facing adapter and a destination address of the internet facing
adapter on the VPN server. You are not really doing a NAT conversion , you
are encrypting a packet and encapsulating into another.

This would be different if you had your client machine behind a NAT router
or gateway, however the NAT conversion is done on the tunnel traffic
packets headers. Once again different if you are using something like
L2TP/IPSec for the VPN with NAT, because IPSEC adds it own headers which
have NAT issues.
>
> *Let's assume in a simple form that a (unencrypted) TCP/IP packets looks
> like this;
>
> <package>
> Destination IP: 64.236.24.20
> Destination port: 80
> Source IP: 192.168.1.2
> Source Port: 2179
> Payload
> </package>
>
> Where the internal IP would be NAT'd by the firewall
>
> *This is what I thought a VPN would do:
>
> <package>
> Destination IP: 10.0.1.2 (64.236.24.20)
> Source IP: 10.0.1.1 (192.168.1.2)
> <encrypted_payload>
> Encrypted original package
> </encrypted_payload>
> </package>
>
> Although the virtual adapter has a different IP, the normal IP would have
to
> be used to sent and receive the packages.
>
> *Now this is what I understand from your posting:
>
> <package>
> Destination IP: 10.0.1.2 (64.236.24.20)
> Destination port: 80
> Source IP: 10.0.1.1 (192.168.1.2)
> Source Port: 2179
> <encrypted_payload>
> Encrypted original package
> </encrypted_payload>
> </package>
>
> I understand from your story (and here is where I thought differently thus
> far) that the data is actually being send to the very same ports, and not
as
> I thought over a single 'line/connection'. where at the end-points the
data
> packets would be decrypted and only then the source and destination ports
> would be known.
>
> Is this correct?
> If that is so, then I agree with your story that a firewall would still be
> able to block/allow traffic based on ports (logically not on payload,
since
> the payload is encrypted).
> Otherwise I do not see how a firewall would be able to filter
> allowed/blocked packages since the ports will only be present in the
> original package which is encrypted.
>
> As you see I only have basic knowledge on networking and the involved
> encryption techniques, hence I do not know whether I am reading your
posting
> correct or not.
>

Relevant Pages

  • Re: More on Remote Desktop
    ... I still won't be opening up a port on my firewall for it, ... The Remote Desktop ... > Yes a VPN will work just fine. ...
    (microsoft.public.windowsxp.network_web)
  • Re: VPN
    ... Most SBS owners are going to have port 443 open for OWA and/or Exchange RPC ... If VPN is required additional ports need be ... RDP via RWW is inherently more secure due to this. ... Where I support your argument is if a proper firewall is implemented, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 R2 limited to 5 VPN connections although I have a 30
    ... Another nail in the idea's coffin is that the port limited VPN is likely to open just those ports which intrusion mechanisms target (ie./eg. ... The only additional port used by the 'Connect to' process is port 4125 and though this would be forwarded from the firewall device to SBS at all times the port is protected by the SBS firewall until an authenticated user requests it open, at which time it is opened only to traffic from the requesting IP. ... Implement 2 factor authentication to RWW. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook RPC/HTTP behind Sonicwall - is 443 sufficient?
    ... Make sure the Web Management Settings in the Sonicwall are not using port ... Soniwall Firewall and RWW ... After you have the Sonicwall set up, rerun CEICW (don't let it use UPNP to ... VPN) and then complete the rest of CEICW. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN/Firewall Question
    ... I'm not sure if Norton will let you permit other protocols besides TCP, UDP ... Check the web site for your VPN client to find out how to ... > When the Norton firewall is turned on it blocks incoming VPN sessions. ... > says that port 1723 isn't listening and the standard default is to block ...
    (microsoft.public.inetserver.iis.security)
Quantcast