Firewall Wizards mailing list archives
Re: VPN and NAT
From: Ravi <ravivsn () roc co in>
Date: Thu, 05 Jun 2003 14:25:33 +0530
Hi Georges,It would be better to answer your question to point if we know what type of firewall you customer is using, a firewall with built in VPN or something else. Generally a VPN enbaled firewall has to look after the incoming VPN connections with out threat to its security.
Regards Ravi Georges Dupont wrote:
Hello, One of our customers is planning to allow roaming users to access its internal systems, through a VPN (and SmartCard/Radius auth). This will mean that the endpoints (laptops and home systems) security must be properly controlled, but it's not my current question. The customer's network is already segmented, IP filtering and proxies at several levels, different DMZ and such. The customer is heavily using NAT, since its internal network uses 'real' IP addresses. The exchanges between inside and DMZ/outgoing proxies gets NATed. Currently, NAT is only "used" for outgoing connexions. Nothing from the outside goes directly anywhere inside. This could change with the VPN, where incoming connexions will reach internal systems. So, my questions relates to how to properly setup this incoming stuff. Filtering is planned, but should we set up proxies in some VPN-related DMZ ? If the need is to reach a few internal systems, we will statically NAT their addresses. This does not ensure security, only reachability. What measures should be taken to secure those connexions ? I must also say there are voices, inside, telling "NAT is be enough do not bother uswith anything else". I do not agree at all, but I need arguments. Tia, -- Georges _____________________________________________________________________ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ------------------------------------------------------------------------ Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page <http://www.roc.co.in> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN and NAT Georges Dupont (Jun 04)
- RE: VPN and NAT Ben Nagy (Jun 05)
- Re: VPN and NAT Ravi (Jun 05)