Re: Site-to-site VPN to client, good idea?


"ac130" wrote:

Phillippe,

Thank you for taking the time to answer my questions. Your post validated my
concerns about creating the site to site vpn to our client. We've actually
discussed a scenario similar to your second suggestion and we're probably
going to implement something similar.

Again thanks for your input and by the way, your English is perfectly fine :)


"Philippe Gillet [CISSP-CISA-CISM]" wrote:

Hi,

Indeed it is the main problem with Site to Site VPN. This is often done in
the context of a company with many offices in many countries.
In that case, the security policy is the same for the company and they can
control what is done with multiple access control software, logs ,etc...
In your case, you give a complete access to your LAN to the other company.
Yes, you open the door, clearly !
You have 3 solutions:

--> you make an agreement where you state that they will be monitored, they
will have to respect your security policy, etc... You can monitor their
potential fraudulent activities with an IDS for example.. to be sure to
detect viruses, hacking, etc...
The main problem with that is the reaction time: You will act after the
problem happens.... not before.

--> You restrict their VPN and redirect them to a VLAN or isolated private
LAN, and enforce an ACL that will only permit them to make file transfer and
RDP for example.

--> You don't make a Site-to Site VPN. You allow them to use FTP + RDP +
others if necessary ( it's better to use sftp or scp...) to get the files.
but you have to create a server with a ftp server or equivalent and make the
Port address translation on your PIX.



The choice is yours. (don't choose the first if possible...)


+++

Excuse my bad english writing ;-(

If you terminate the VPN connection in your Pix firewall then access is not
necessarily wide open.
You can configure the Pix to restrict the range of IP addresses in your LAN
that the VPN connection can access.
I forget the exact details but I learnt this and implemented it when setting
up 'split-tunnelling' in this context some years ago.

A search on this term + 'Cisco Pix' should get you some info.

--
HTH,
Newell White


.

Relevant Pages

  • Re: How expand domain subnet?
    ... Don't forget this is split-tunnel VPN terminating in the Cisco Pix. ... You seem to assume that, it you set up your LAN as 192.168.0.0/22, VPN ... The reason of the "half period" is because DHCP ...
    (microsoft.public.windows.server.networking)
  • Re: Opening Port 3389
    ... One thing that still concerns me even with VPN is that unless I change the ... the LAN but will have a back door. ... > The firewall at my work is a Cisco PIX 515E with DMZ. ... > On the DMZ I am going to sit a 2k server with IIS as a web server. ...
    (comp.security.firewalls)
  • Re: Can PIX 501 be VPN terminator inside another firewall?
    ... The LAN is a class C, but could it be segmented and part of it used for VPN? ... Does the 501 support that? ... into and come out of the same PIX interface to the existing LAN that is ...
    (comp.dcom.sys.cisco)
  • Cisco ACL bug when using VPN crypto engine accelerator, PPPoE dialer or ip route-cache
    ... IOS 12.2.xT IP/ADSL/FW/IDS PLUS IPSEC 3DES ... Site to site VPN for small offices. ... you can apply an ACL on the outside ... This looks pretty bad for a VPN box running a Firewall feature set IOS ...
    (Bugtraq)
  • Re: SBS 2003, ISA 2004 and VPN Problem
    ... At first blush it sounds like you have not set up a site to site VPN. ... I have setup what I think is a site to site VPN connection to another network (Windows 2003 server domain) via a router with a login. ... From the local workstations, I can browse to the IIS on the other server. ...
    (microsoft.public.windows.server.sbs)
Quantcast