[VPN] VPN client behind-thru firewall
Mark D Robinson
mrobinso at fpkc.com
Tue Aug 12 13:23:03 EDT 2003
That's pretty much what I thought I might have to do. The users won't be happy because they won't be able to use their own machines, but better safe than sorry.
I just wanted to make sure that I wasn't being overly paranoid with this situation. Or to see if there was a better way to handle it. Thanks.
Mark
> Put your victim machines on a "DMZ" leg off the firewall. Allow the
> necessary access from that machine through your firewall. Arrange
> carefully controlled access to that machine from behind the firewall.
>
> Carl
>
>> -----Original Message-----
>> From: Mark D Robinson [mailto:mrobinso%fpkc.com at fwd.com]
>> Sent: Monday, August 11, 2003 4:58 PM
>> To: vpn
>> Subject: [VPN] VPN client behind-thru firewall
>>
>>
>> I've looked through the archives, but didn't find anything on this.
>>
>> Briefly, we've got a big client who has a database that they
>> want us to be able to access remotely. The client sent us
>> some VPN client software (Nortel Contivity client) along with
>> a couple of RSA SecurID tokens. Things are designed to access
>> a Citrix server via an IPSec tunnel using the supplied client
>> software. They apparently want us to install the VPN client
>> and Citrix client on PCs behind our firewall, after poking
>> the appropriate holes (AH, ESP, IKE) in said firewall.
>>
>> While using VPN client software this way is common for remote
>> access from home or while travelling, I'm concerned about
>> installing it on hosts inside our firewall. I'd have no
>> control over the traffic that's flowing through the IPSec
>> tunnel. Are these concerns justified? Do you have any
>> suggestions on better ways to handle this? Thanks.
>>
>>
>> Mark
>>
>> _______________________________________________
>> VPN mailing list
>> VPN at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/vpn
>>
More information about the VPN
mailing list