VPN WAN

[Neil Ratzlaff]

This NT WAN is not a replacement for anything, it will be totally new.  As
near as I can tell, the different offices plan to use the Cisco VPN only
for communication between the various NT servers, but not for anything
else.  I interpreted this to mean any other internet access is unrestricted
and would go direct, not through the WAN.  I assume Cisco can apply VPN
based on specified destination IP addresses and ignore anything else.

This whole idea wouldn't bother me as much if I could keep it all outside
my firewall, but I doubt I can manage that.  The VPN on my end would
terminate just outside the firewall, so at least it isn't a tunnel through
that.  I could put any NT systems here on a DMZ and block the M$ service
ports, but I think that means no one here could pretend all those disks and
printers out there are local on their machines, which appears to be the
point of all this.

If someone can point me to a URL that explains why this is bad, I would
appreciate it.  I also welcome examples of the risks.  For instance, what
problems can occur when a user in one place mounts a remote disk on a
compromised machine as local?

I doubt that any of the sites involved (except mine) have any type of
network security now, so they really don't care about it yet.

Thanks,
Neil


At 09:26 AM 4/11/00 -0700, Ryan Russell wrote:
>On Tue, 11 Apr 2000, Neil Ratzlaff wrote:
>
> > A high mucky-muck of my company wants to set up an NT domain with machines
> > scattered around the USA.  (Why is a little unclear to me, but he wants
> > it.....)  When this was proposed last year I screamed and they gave up, for
> > a while.  Now I want advice on whether putting a Cisco VPN router at each
> > office would be considered to offer enough security.  This is not for a lot
> > of traffic or for really important stuff.  They mostly claim to want to
> > share files and printers - even though no one can explain to me why someone
> > in Denver should want to print to a printer in Boston.  I doubt there are
> > firewalls or other network security at any of the sites.
> >
>
>I've done this.  There are some critical details to this setup which will
>determine how secure it is.  You mention WAN replacement (i.e. the VPN
>function replaces a tradition WAN line.)  I'd call this design reasonable
>safe if it's WAN ONLY.  That means, the filed office doesn't get out to
>the Internet locally.  When I deployed this design, several South American
>field offices had Internet connections with Cisco routers acting as VPN
>devices.  When the South Americans wanted to hit an external web site or
>some such, they had to come all the way up to California, and go through a
>"real" firewall.  This is even if they're going to a web site in the same
>country as themselves.. up to the US, and back down.
>
>This meant as long as Cisco's crypto was correct and strong enough, and
>their access-lists worked, I was safe.
>
>If these sites were used to going out to the Internet locally (and they
>pay a performance penalty with the design I speak of) they may not be
>happy about the lost functionality/performance.
>
>                                         Ryan

VPN is sponsored by SecurityFocus.COM