Thanks Rich I agree with your comments (sad but true) as for some details. The protocol required is a proprietary protocol, it uses two ports plus ephemeral ports for return traffic(it is tcp). The authentication is to be done using 2 factor authentication with the PIX box at their end (which will be using a CA server - probably MS) At this stage they are talking about USB tokens. I am wondering if it would be possible to allow AH only from the VPN client, and then encapsulate this in an ESP tunnel from our gateway. This would mean that traffic on our network would be in the clear (and I can filter it / IDS it) but traffic over the internet would still be encrypted. It would also satisfy their needs to do the authentication between the client and their server. I am extremely unhappy about trusting another network, regardless of who it is. In the end I am responsible for the security of our network and it is my job on the line not theirs. Thanks for your help so far. James Quoting "Gautier . Rich" <RGautierat_private>: > Sounds to me like you need to put your foot down. Too often, the reason > for the DMZ is bypassed because of a business need. People need to > understand that security is a business need too. When you open a VPN to > someone, you have to be able to trust their security. If you can't > trust the other endpoint to have the same security standards that you > have, or if you can't trust the endpoint itself (contracting > competitor!), you shouldn't be opening a hole through your protections. > > > You can mitigate the risk partly with end-point VPN connections on the > desktops themselves, but this still leaves any open holes on those > desktops as a vulnerability they can use to try to infiltrate your > network. > > You weren't very specific about the requirements, but I'm sure we > might have some suggestions, if you could give us some specifics (i.e. > what type of authentication needs to pass, what types of protocols > you're talking, etc.) > > But in the end, I think you've a battle on your hands. As firewall, > nay, as SECURITY admins, our responsibility is to protect the network, > and allowing a VPN'd user to infect your network with today's virus > because he had a 'business need' to connect to something, or because he > is inconvenienced, does not sound like something you want to happen. > > Rich Gautier > Dynamics Research Corp > Personal Website - http://rgautier.tripod.com > Attachment is Public Key for the sender: rgautierat_private > > > -----Original Message----- > From: James X [mailto:scouserat_private] > Sent: Thursday, October 03, 2002 6:12 AM > To: 'firewall-wizardsat_private' > Subject: [fw-wiz] Remote access problem > > > I need ideas for solving a remote access issue. > > Problem: > Users in my organisation require a connection to an application running > on a server in a second organisation. > The solution they came up with was a IPSec tunnel terminating on a PIX > box at their end and the pcs of the users in my organisation. > > My issues: > The tunnel terminates inside my network, therfore I have no way of > filtering the traffic in the tunnel. The will be using a cisco VPN > client. > Users need to be able to communicate with my network while the tunnel > is > up so I can't just cut them off while they use this facility. > The second orgnaisation require the users to authenticate with their > server, so I can't just put up a gateway - gateway solution. > Any suggestions would be welcome. > > > To add the cream to the cake the timeframe is very tight, infact they > only thought my team (network security) might be interested a few weeks > before they planned to test this !! (when will people realise that > security conerns are best dealt with during design !) > > > > _______________________________________________ > firewall-wiza rds mailing list > firewall-wizardsat_private > http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards > > > > _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 21:33:08 PDT