VPN behind a firewall with NAT

Brad Kemp kemp at INDUSRIVER.COM
Thu Jan 13 08:53:29 EST 2000 

Ivan,
Ask them to open up the ports and protocols you need.

It is possible to use covert tunneling to create a tunnel in this environment.
A covert tunnel is one that appears to the firewall as an https (SSL) or TLS
request. I would not recommend implementing this without your customers
approval, one of the fastest ways to lose a contract is to breach your
customers security systems. This should only be deployed if the customer says
its OK to tunnel, but doesn't want to touch the firewall.  If your
customers are not letting you use dial up networking, it is unlikely they
would let you do this.
There are a few vendors who provide this type of tunneling,
usually it consists of establishing a tunnel through a SSL/TLS
connection.  There are performance penalties invlovled with this type of
tunnel. If the tunnel experiences congestion, there will be an avalance
of packets causing more congestion.  This is due to the retransmission of
the same packet both at the SSL/TLS layer and at the applications TCP layer.
Be aware that this type of tunneling may not work well through certain proxy
servers.  These servers disconnect and reconnect the SSL/TLS tcp connection
during periods of in-activity.  Some vendors handle this poorly.
Brad



At 02:19 PM 1/12/00 -0500, Ivan Fox wrote:
>Some of our engineers are working at customer plants.  They need to access
>NT and Lotus Notes servers back home here.
>
>The manufacturing plants which they are working in are highly secured.  They
>are *not* allowed to use dial-up networking.  They are working behind a
>firewalled network.
>
>We are using Checkpoint Firewall-1 with VPN-1.  Should I just ask their
>network administrators to open ports 500 and 501 so that they can use
>SecureRemote access the Lotus Notes servers and NT servers back home.
>
>Any pointers are appreciated.
>
>Thanks,
>
>Ivan
>
>VPN is sponsored by SecurityFocus.COM
>
--- -- --
Brad Kemp
Indus River Networks, Inc.                   BradKemp at indusriver.com
31 Nagog Park						 978-266-8122
Acton, MA 01720                              fax 978-266-8111

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list