Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall
From: Tracy Kennison (kennisonCUTITOUT_at_goodnet.com)
Date: 12/12/03
- Next message: John: "Re: Spare server - OpenBSD+snort. Good choice or is there an alternative?"
- Previous message: bargepole: "Re: Kerio WINROUTE settings for version 5.x - help please !"
- In reply to:(deleted message) Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
- Next in thread: Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Dec 2003 21:41:55 -0700
On Fri, 12 Dec 2003 00:03:15 GMT, Leythos <void@nowhere.com> wrote:
>In article <i8thtvc70ne3drtsirlf11aegoikh1f6rh@4ax.com>,
>kennisonCUTITOUT@goodnet.com says...
>> Leythos <void@nowhere.com> wrote:
>>
>>
>> >In article <irkhtv8gao2otkig4mk0gd36n9lcfbd2hj@4ax.com>,
>> >kennisonCUTITOUT@goodnet.com says...
>> >>
>> Snipped out a lot of my stuff, focusing on your comments
>>
>> >>
>> >> This setup requires me to open ports 443 (https), 444 (Windows
>> >> Sharepoint Service), and 4125. (Remote Web Workplace). My reason for
>> >> wanting a strong authentication/authorization mechanism on the
>> >> firewall is that I am concerned about an exploit being developed that
>> >> will directly attack these ports on my server.
>> >
>> >Why not do it the simple easy way - let them VPN into the firewall, once
>> >in the firewall, they can access the network on all ports from the
>> >encrypted tunnel.
>> >
>> I really like the Remote Web Workspace's ability to show the user's
>> desktop, and allow them to run any of their apps at work, but I assume
>> this willl still be possible inside a VPN tunnel right? (no real VPN
>> experience here, other than book knowledge). I also like the
>> simplicity of the set up, and their being able to do it from just
>> about anywhere (without worrying about Linksys devices on their end
>> and such, but I guess if I want strong security I have to give up
>> something.
>
>I've not use the RWW, so if it can run inside your network they should
>be able to use it. They could also TS into their computers to the office
>once they made it through the firewall.
>
>> >> However, as I start to look at the above firewalls I run into the
>> >> following issues (based on reading, no first hand experience):
>> >[snip]
>> >> With the WatchGuard Firebox III 500 it looks good until I read in the
>> >> User Guide (Pg 165-6) that when setting up users for remote access,
>> >> one of the steps is to provide their remote IP address. The whole
>> >> point of me using a user name mechanism is so I don't have to specify
>> >> a specific IP. The users can log on from any number of locations,
>> >
>> >That's not what it means - they are talking about remote users as in
>> >branch offices. If you get the 700 series it comes with VPN software
>> >that allows you to pre-package the VPN services and give the install
>> >disk to each person. You could also have them use aggressive mode and
>> >setup a Linksys at their homes, and create an IPSEC tunnel between the
>> >linksys (BEFVP41 unit) and the 700 so that they don't need anything on
>> >their computers. It would be 'nice' if they had fixed IP's, but with
>> >aggressive mode it will work with the remote offices (users) on a
>> >Dynamic connection.
>> >
>> Thanks for the clarification, although I thought this was outside the
>> VPN context, but I probably got confused here.
>>
>> I really don't have a good handle on the difference between the branch
>> office, mobile, and remote user VPN yet. I thought I could get by
>> without the branch office option (on the 700, and an option on the
>> 500, although the option makes it more expensive then the 700). Will
>> this still work ok with just the mobile and remote user VPN? Or do I
>> really need the branch office option?
>
>The branch office is only if you want to use a hardware device at the
>other end. If you want to let the users connect from anywhere you want
>the MOBILE USER software.
>
>> >My other idea, why are you not wanting to use ISA that comes with SBS?
>> >(I don't use it either).
>>
>> I only have the standard edition, not the premium. In hindsight I
>> wish I had gotten the premium edition. Based on some of the commnents
>> in the SBS group, people really seem to like ISA. A lot of them seem
>> to support running it in addition to an external fw.
>
>I actually don't like ISA and would also run an appliance in front of
>it. There's just something about trusting MS to make a firewall that
>bothers me - not to mention it has to run on the SBS server also.
>
>A good appliance keeps me feeling secure.
>
>As another means, although I'll get flamed for it, you could allow your
>users to use the simple PPTP tunnel into the firewall.
>
>--
Thanks again for all the info. I now have a much better idea how to
approach this now. Time for me stop being lazy and do it the VPN way.
Do you recommend going the branch office approach for the links to the
home computers (rathe than mobile)? Is it more secure? More
reliable? Faster? Other reason?
I have definately had good experience with the Linksys BEFSX41, so if
it make a good BO link to the Firebox that would be great.
I would still use the mobile approach for the road warriors I guess.
Of the firewalls I initially mentioned (PIX 506E, Firebox III 500/now
700, Safe@Office, SonicWall Pro 230) I expect you will probably
recomment the Firebox 700, correct? Or do you think one of the others
would actually be better for what I am trying to do?
I am definately leaning towards the Firebox now, but almost feel this
sadistic need to cut my teeth on the PIX first (I do have a little
experience with their routers)
Anyway, Thanks Again
Tracy
- Next message: John: "Re: Spare server - OpenBSD+snort. Good choice or is there an alternative?"
- Previous message: bargepole: "Re: Kerio WINROUTE settings for version 5.x - help please !"
- In reply to:(deleted message) Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
- Next in thread: Leythos: "Re: Authentication on PIX, WatchGuard, Safe@Office & SonicWall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
