Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VPN and NAT

From: Ravi <ravivsn () roc co in>
Date: Thu, 05 Jun 2003 14:25:33 +0530
Hi Georges,
It would be better to answer your question to point if we know what type of firewall you customer is using, a firewall with built in VPN or something else. Generally a VPN enbaled firewall has to look after the incoming VPN connections with out threat to its security. 

Regards
Ravi



Georges Dupont wrote:

Hello,

One of our customers is planning to allow roaming users to access its
internal systems, through a VPN (and SmartCard/Radius auth). This will
mean that the endpoints (laptops and home systems) security must be
properly controlled, but it's not my current question.
The customer's network is already segmented, IP filtering and proxies at
several levels, different DMZ and such.
The customer is heavily using NAT, since its internal network uses
'real' IP addresses. The exchanges between inside and DMZ/outgoing
proxies gets NATed.
Currently, NAT is only "used" for outgoing connexions. Nothing from the
outside goes directly anywhere inside. This could change with the VPN,
where incoming connexions will reach internal systems.
So, my questions relates to how to properly setup this incoming stuff.
Filtering is planned, but should we set up proxies in some VPN-related
DMZ ? If the need is to reach a few internal systems, we will statically
NAT their addresses. This does not ensure security, only reachability.
What measures should be taken to secure those connexions ?
I must also say there are voices, inside, telling "NAT is be enough do
not bother uswith anything else". I do not agree at all, but I need
arguments.

Tia,
-- Georges

_____________________________________________________________________
Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




--


The views presented in this mail are completely mine. The company is not
responsible for whatsoever.
------------------------------------------------------------------------
Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184

ROC home page <http://www.roc.co.in>



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: