RE: Remote access problem

[scouser () paradise net nz]

Thanks Rich
I agree with your comments (sad but true)
as for some details.
The protocol required is a proprietary protocol, it uses two ports plus 
ephemeral ports for return traffic(it is tcp).
The authentication is to be done using 2 factor authentication with the PIX 
box at  their end (which will be using a CA server - probably MS) 
At this stage they are talking about USB tokens.

I am wondering if it would be possible to allow AH only from the VPN client, 
and then encapsulate this in an ESP tunnel from our gateway.
This would mean that traffic on our network would be in the clear (and I can 
filter it / IDS it) but traffic over the internet would still be encrypted. It 
would also satisfy their needs to do the authentication between the client and 
their server.

I am extremely unhappy about trusting another network, regardless of who it 
is. In the end I am responsible for the security of our network and it is my 
job on the line not theirs.

Thanks for your help so far.
James

Quoting "Gautier . Rich" <RGautier () drc com>:

> Sounds to me like you need to put your foot down. Too often, the reason
> for the DMZ is bypassed because of a business need. People need to
> understand that security is a business need too. When you open a VPN to
> someone, you have to be able to trust their security. If you can't
> trust the other endpoint to have the same security standards that you
> have, or if you can't trust the endpoint itself (contracting
> competitor!), you shouldn't be opening a hole through your protections.
>
>
>  You can mitigate the risk partly with end-point VPN connections on the
> desktops themselves, but this still leaves any open holes on those
> desktops as a vulnerability they can use to try to infiltrate your
> network.
>
>  You weren't very specific about the requirements, but I'm sure we
> might have some suggestions, if you could give us some specifics (i.e.
> what type of authentication needs to pass, what types of protocols
> you're talking, etc.)
>
>  But in the end, I think you've a battle on your hands. As firewall,
> nay, as SECURITY admins, our responsibility is to protect the network,
> and allowing a VPN'd user to infect your network with today's virus
> because he had a 'business need' to connect to something, or because he
> is inconvenienced, does not sound like something you want to happen.
>
> Rich Gautier
> Dynamics Research Corp
> Personal Website - http://rgautier.tripod.com
> Attachment is Public Key for the sender: rgautier () drc com
>
>
> -----Original Message-----
> From: James X [mailto:scouser () paradise net nz]
> Sent: Thursday, October 03, 2002 6:12 AM
> To: 'firewall-wizards () honor icsalabs com'
> Subject: [fw-wiz] Remote access problem
>
>
> I need ideas for solving a remote access issue.
>
> Problem:
> Users in my organisation require a connection to an application running
> on a server in a second organisation.
> The solution they came up with was a IPSec tunnel terminating on a PIX
> box at their end and the pcs of the users in my organisation.
>
> My issues:
> The tunnel terminates inside my network, therfore I have no way of
> filtering the traffic in the tunnel. The will be using a cisco VPN
> client.
> Users need to be able to communicate with my network while the tunnel
> is
> up so I can't just cut them off while they use this facility.
> The second orgnaisation require the users to authenticate with their
> server, so I can't just put up a gateway - gateway solution.
> Any suggestions would be welcome.
>
>
> To add the cream to the cake the timeframe is very tight, infact they
> only thought my team (network security) might be interested a few weeks
> before they planned to test this !! (when will people realise that
> security conerns are best dealt with during design !)
>
>
>
> _______________________________________________
> firewall-wiza rds mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
>
>
>
>  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards