Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall

From: Tracy Kennison (kennisonCUTITOUT_at_goodnet.com)
Date: 12/12/03

• Next message: Duane Arnold: "Re: What to do about attacks?"
• Previous message: Thomas Hertel: "Re: Trojans and other nasty things"
• In reply to:(deleted message) Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Next in thread: Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Reply:(deleted message) Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Reply: Dave: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 11 Dec 2003 16:22:45 -0700

Leythos <void@nowhere.com> wrote:

>In article <irkhtv8gao2otkig4mk0gd36n9lcfbd2hj@4ax.com>,
>kennisonCUTITOUT@goodnet.com says...
>>
Snipped out a lot of my stuff, focusing on your comments

>>
>> This setup requires me to open ports 443 (https), 444 (Windows
>> Sharepoint Service), and 4125. (Remote Web Workplace). My reason for
>> wanting a strong authentication/authorization mechanism on the
>> firewall is that I am concerned about an exploit being developed that
>> will directly attack these ports on my server.
>
>Why not do it the simple easy way - let them VPN into the firewall, once
>in the firewall, they can access the network on all ports from the
>encrypted tunnel.
>
I really like the Remote Web Workspace's ability to show the user's
desktop, and allow them to run any of their apps at work, but I assume
this willl still be possible inside a VPN tunnel right? (no real VPN
experience here, other than book knowledge). I also like the
simplicity of the set up, and their being able to do it from just
about anywhere (without worrying about Linksys devices on their end
and such, but I guess if I want strong security I have to give up
something.

>> However, as I start to look at the above firewalls I run into the
>> following issues (based on reading, no first hand experience):
>[snip]
>> With the WatchGuard Firebox III 500 it looks good until I read in the
>> User Guide (Pg 165-6) that when setting up users for remote access,
>> one of the steps is to provide their remote IP address. The whole
>> point of me using a user name mechanism is so I don't have to specify
>> a specific IP. The users can log on from any number of locations,
>
>That's not what it means - they are talking about remote users as in
>branch offices. If you get the 700 series it comes with VPN software
>that allows you to pre-package the VPN services and give the install
>disk to each person. You could also have them use aggressive mode and
>setup a Linksys at their homes, and create an IPSEC tunnel between the
>linksys (BEFVP41 unit) and the 700 so that they don't need anything on
>their computers. It would be 'nice' if they had fixed IP's, but with
>aggressive mode it will work with the remote offices (users) on a
>Dynamic connection.
>
Thanks for the clarification, although I thought this was outside the
VPN context, but I probably got confused here.

I really don't have a good handle on the difference between the branch
office, mobile, and remote user VPN yet. I thought I could get by
without the branch office option (on the 700, and an option on the
500, although the option makes it more expensive then the 700). Will
this still work ok with just the mobile and remote user VPN? Or do I
really need the branch office option?

>
>My other idea, why are you not wanting to use ISA that comes with SBS?
>(I don't use it either).
>

I only have the standard edition, not the premium. In hindsight I
wish I had gotten the premium edition. Based on some of the commnents
in the SBS group, people really seem to like ISA. A lot of them seem
to support running it in addition to an external fw.

Thanks a bunch for the information. It was very helpful

Tracy

---

• Next message: Duane Arnold: "Re: What to do about attacks?"
• Previous message: Thomas Hertel: "Re: Trojans and other nasty things"
• In reply to:(deleted message) Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Next in thread: Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Reply:(deleted message) Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Reply: Dave: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages PPTP VPN with Fortigate-firewall ... Here at the office we have an Fortigate 100 firewall from FortiNet, ... Establishing a connection between a remote user and the ... Fortinet VPN Client. ... (comp.security.firewalls) Re: Which Firewall? ... I don't know anything about the Gnatbox at all but we have a bunc af ... If what you need is a applicationlevel firewall SonicWall will not do ... but if statefull inspection and VPN is what you need ... >to a small branch office, so we'll need a second firewall for ... (comp.security.firewalls) Cisco VPN - supported platforms ... I am researching VPN options for my company that would allow us to connect our branch office with another branch. ... What are the advantages of configuring the VPN on a firewall vs a router then? ... (comp.dcom.sys.cisco) RE: Sandboxing ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ... (Focus-IDS) RE: OT: How to configure with VPN endpoints outside ISA2K4? ... I understand that you want to setup a branch office ... the easiest method is to setup site to site VPN for your ... Connecting a Remote Office to a Small Business Server 2000 Network ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)