Virtual Private Network Question

Adam Northern AdamN at frontier-risk.com
Wed Sep 29 13:06:09 EDT 1999 

I am interested in implementing a vpn at my work locations and have done
some research, even though it is hard to find a good reliable source of
unbiased information about vpns.  This is what I came up with, and I want to
run it by you peeps to make sure I'm not smoking crack or missing some
fundemental law of the universe.

use for vpn: mainly for file sharing for embedded work (microsofty)
documents and secure communication channels.

stuff already there:
Nt servers for authentication / userlogin(ugh)
microsoft exchange (ugh)
and lots of microsoft stuff.  The previous it person here was a big fan of
microsoft.  I am not.

All locations have a switch and router/firewall.

My idea.

build a dual homed linux or freebsd machine (2 nic cards) to act as a bridge
between the router and the switch.  it will use free s/wan to create the
encrypted tunnels between the locations.
Filtering rules would be implemented on the vpn bridge to forward packets
destined for one of the other locations' ip addressed to be encapsulated and
sent to it via the 'real' router. This will be used for tcp/ip, udp/ip, and
*possibly* ipx/ncp and ipx/sxp, even though I hope to replace the aging
novel servers, which are very slow at what they do (but stable, one of them
has an uptime of 2 years) with more up to date equipment and possible samba.
I am not sure what protocal netbios uses, but I would probably want to send
those through the tunnel as well so all the locations can play evil games
and stick tons of pr0n on the other locations' file servers just by going
into network neighborhood.  Also, the vpn bridges will be set to deny
anything coming in on the encrypted tunnel that is not from a trusted ip
address. Then I will get some bread, a knife, and some peanut butter and
jelly.  Eat it (sans the knife, of course).

all other outgoing/incoming packers will be done as normal, going through
the main firewall.

the routers and vpn machines will have 'real' ip addresses, everything else
will be assigned ip addresses in the private range, most likely the class A
range, with a NAT.

Does this sound right? is there a better way to do it? Am I missing
something? Is my fly unzipped?


[network] S
[network] W
[network] I
[network] T --> VPN-----router---{ internet }---router-----VPN--- . . . 
[network] C    Bridge< . . . . . . . . . . . . . . . . . >Bridge
[network] H                (encrypted data tunnel)


Adam Northern
 

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list