Re: do i need a new router
From: Leythos (void_at_nowhere.lan)
Date: 10/01/05
- Next message: E.: "Re: do i need a new router"
- Previous message: E.: "Re: do i need a new router"
- In reply to: E.: "Re: do i need a new router"
- Next in thread: E.: "Re: do i need a new router"
- Reply: E.: "Re: do i need a new router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Sep 2005 23:55:32 GMT
In article <433dc503$1@mail.netspeed.com.au>, bellyup@the.bar says...
> Leythos wrote:
>
> > In article <433dae7a$1@mail.netspeed.com.au>, bellyup@the.bar says...
> >
> >>Leythos wrote:
> >>
> >>
> >>>In article <433cfc0b$1@mail.netspeed.com.au>, bellyup@the.bar says...
> >>>
> >>>
> >>>>I have not encountered an off-the-shelf router (without a 'modem'
> >>>>component) that fully supports inbound PPTP passthrough properly in
> >>>>quite some time. In those instances I just build an IPCop box which does
> >>>>support GRE properly.
> >>>>
> >>>>Another caveat to be aware of is a good number of those that do support
> >>>>inbound PPTP passthrough (most don't, despite claiming to) is that the
> >>>>number of concurrent connections is limited to about 2.
> >>>
> >>>
> >>>I just ran into a SMX BarricadePlus 7004FW unit that acts as a
> >>>PPTP/IPSEC end-point, you can setup 10 different PPTP end-point users
> >>>and passwords.
> >>>
> >>>It has no specific PPTP passthrough options that I can find, but, since
> >>>it acts as a PPTP end-point, it would make it simple for a small office.
> >>>
> >>>The 7004FW is an older unit, the newer version, one you can get most
> >>>places, is the SMCBR14VPN.
> >>>
> >>>http://www.smc.com/index.cfm?event=viewProduct&localeCode=EN_USA&cid=1
> >>>&scid=17&pid=1354
> >>>
> >>
> >>That would be useless in the scenario the OP asked about. You *can*
> >>terminate the PPTP tunnels @ the border, but that means you either have
> >>to run the SBS box with a single NIC, or kill ISA/ publish Domain
> >>services on the 2nd NIC which should be filtering pretty much everything.
> >>It would be useful if you were only doing terminal services or similar,
> >>but for the same price you can purchase something that uses L2TP.
> >
> >
> > But, if the unit acts as a VPN (PPTP) end-point, it's very likely that
> > it handles GRE properly. None of the PPTP end-point units I've seen/used
> > have had problems with inbound GRE, only the cheap NAT units have
> > problems with it.
> >
> I think you missed the point I was trying to make. You *can* do what you
> suggest, the question is whether or not you *should*.
>
> internet -> [Router] < --Lanrange1-- > [SBSexternalnic|SBSinternalNic]
> <--Lan range 2--> [Internal PC's.]
>
> If you terminate the PPTP session @ the router, it will have an IP*
> address on the outside interface of the SBS box. This means that you
> have to allow basically all traffic on what should be a filtering
> interface (e.g. only allowing PPTP, GRE, SMTP, HTTPS in). Standard SBS
> uses IPSec, NAT and port forwarding, Premium SBS includes all that plus
> ISA firewall.
And none of those should be trusted with it connected to a live public
connection - it needs a barrier device/server between the Internet and
the server itself. I've never liked ISA, and while that may go against
the ideals of SBS, I've never had a firewall (non-ISA) or an appliance
(a real firewall, not one of these NAT systems) let me down.
> If the SBS box terminates the PPTP session, the session will have an IP
> assigned via DHCP from the LAn/internal side of the SBS box. Impact is
> that next to nothing is accessible on the outside interface, unless you
> use an authenticated secure tunnel to get there. You can also enforce
> password security policies etc
>
> SBS is best run with dual nics, with appropriate filtering and layers.
Not true, I've never had a customer compromised in 25+ years of working
with computers, and I've never setup a server exposed directly to a
public connection and always (since they became available) tucked them
behind a firewall appliance (or a firewall server). I don't like ISA or
the dual NIC setup for SBS.
>
> If it was a non-domain box, such as a terminal server behind the router
> than the product you mention would be a worthwhile solution.
> E.
>
> *you will also have to set up rules to give individual clients specific
> IP's, or assign them @ the connectoid. If you run DHCP on the router SBS
> will have a kak.
I think you misunderstand my intention and how I normally work with
servers - I never allow a direct connection to the server for VPN
connections, and I never use Dual NIC's in a solution.
I install a barrier device, my choice is the WatchGuard Firebox x1000,
and use it to filter SMTP, HTTP, and other services for content and
malicious attachments - even blocking bad headers and such.
As for the PPTP connection to the device acting as an endpoint, I would
not do that in a Dual NIC solution, a single NIC with a real firewall is
all that's needed. Since there seems to be a large number of people
doing the NAT router with a single NIC, I would at least want on with a
PPTP End-Point ability - and I would make sure that the PPTP
user/password DID NOT match the domain user/password - this would
provide two layers (oh, did I mention that in a firewall solution, not a
simple NAT solution, getting the VPN to the firewall still doesn't get
the user access to the network, they still have filtering rules applied
to them).
-- spam999free@rrohio.com remove 999 in order to email me
- Next message: E.: "Re: do i need a new router"
- Previous message: E.: "Re: do i need a new router"
- In reply to: E.: "Re: do i need a new router"
- Next in thread: E.: "Re: do i need a new router"
- Reply: E.: "Re: do i need a new router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
