[VPN] VPN client behind-thru firewall

Mark D Robinson mrobinso at fpkc.com
Tue Aug 12 13:23:03 EDT 2003


That's pretty much what I thought I might have to do. The users won't be happy because they won't be able to use their own machines, but better safe than sorry.

I just wanted to make sure that I wasn't being overly paranoid with this situation. Or to see if there was a better way to handle it. Thanks.

Mark

> Put your victim machines on a "DMZ" leg off the firewall. Allow the
> necessary access from that machine through your firewall. Arrange
> carefully controlled access to that machine from behind the firewall.
> 
> Carl
> 
>> -----Original Message-----
>> From: Mark D Robinson [mailto:mrobinso%fpkc.com at fwd.com] 
>> Sent: Monday, August 11, 2003 4:58 PM
>> To: vpn
>> Subject: [VPN] VPN client behind-thru firewall
>> 
>> 
>> I've looked through the archives, but didn't find anything on this.
>> 
>> Briefly, we've got a big client who has a database that they 
>> want us to be able to access remotely. The client sent us 
>> some VPN client software (Nortel Contivity client) along with 
>> a couple of RSA SecurID tokens. Things are designed to access 
>> a Citrix server via an IPSec tunnel using the supplied client 
>> software. They apparently want us to install the VPN client 
>> and Citrix client on PCs behind our firewall, after poking 
>> the appropriate holes (AH, ESP, IKE) in said firewall.
>> 
>> While using VPN client software this way is common for remote 
>> access from home or while travelling, I'm concerned about 
>> installing it on hosts inside our firewall. I'd have no 
>> control over the traffic that's flowing through the IPSec 
>> tunnel. Are these concerns justified? Do you have any 
>> suggestions on better ways to handle this? Thanks.
>> 
>> 
>> Mark
>> 
>> _______________________________________________
>> VPN mailing list
>> VPN at lists.shmoo.com
>> http://lists.shmoo.com/mailman/listinfo/vpn
>> 



More information about the VPN mailing list