[vpn] VPN and Domain rights

dgillett at deepforest.org dgillett at deepforest.org
Fri Dec 7 16:27:27 EST 2001


> I cringe at allowing someone past my external PIX into the
> concentrator and passing all the ports ( SMB, NetBIOS etc.)
> through my internal PIX. Logically the VPN concentrator is my only
> security device. 

  Well, that's not quite true:

(a) It's in the DMZ; therefore, traffic reaching it from the outside 
must conform to the rules of the "external PIX", which should only be 
allowing encapsulated tunnel traffic reach the concentrator.

(b) You haven't specified a make and model, but the VPN concentrators 
I'm familiar with (Cisco 30xx) are *designed* to be a security device 
-- using them in that role isn't much of a risk.

(c) If clients expect to access shares, etc, you're going to have to 
let them pass "SMB, NetBIOS etc." through the "internal PIX" anyway.  
You'd just stop forcing them to authenticate against Radius first -- 
and the pre-authentication traffic would be effectively proxied by 
the concentrator.

  (DMZs are usually implemented off a third..nth interface of a 
single firewall box, and so your reference to internal and external 
PIXes sounds a bit unusual.  Is there some special reason your 
network was built that way?)

DG


On 6 Dec 2001, at 19:54, Thomas Moore wrote:

> My company is currently trying to implement a VPN. Our external
> PIX passes through traffic to a concentrator that sits in its own
> DMZ. From there each person is authenicated locally on the
> concentrator and then via radius. If this all checks out then you
> are allowed through and based on your userID. You are given a
> static private IP in a certain range. Our internal PIX has ACL's
> that limit the IP addreses that can be hit based on your static IP
> address. Ther-by limiting users to what they need internally. So
> far so good. 
> 
> Now some have complained that they don't like to have more than
> one logon screen. What they want to do is have people logon
> straight from the VPN to the AD domain via LDAP. 
> 
> I cringe at allowing someone past my external PIX into the
> concentrator and passing all the ports ( SMB, NetBIOS etc.)
> through my internal PIX. Logically the VPN concentrator is my only
> security device. 
> 
> Have you any ideas on how I can effectivly give access without
> piping all the ports through my internal firewall? Have  any of
> you ever run into this type of problem? Any help would be
> appreceiated. 
> 
> Thanks


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list