Re: VPN question
From: lill (lillanita_at_hotmail.com)
Date: 02/13/04
- Next message: Jerry: "Login Scripts"
- Previous message: Shashank Welankar: "Re: Hooking POP3 Service of Windows Server 2003"
- In reply to: Phillip Windell: "Re: VPN question"
- Next in thread: Phillip Windell: "Re: VPN question"
- Reply: Phillip Windell: "Re: VPN question"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 13 Feb 2004 08:00:59 +0100
By tunneling traffic inside the internal network you do not have to open
the internal firewalls for all kinds of traffic, only for VPN traffic
(IKE, AH etc.). Not all firewalls run NAT, and firewalls inside the
internal network is necessary to separate traffic in different security
zones and inspect traffic between zones.
-Lill-Anita
"Phillip Windell" <@.> wrote in message
news:uyE4e0L8DHA.1936@TK2MSFTNGP12.phx.gbl...
> "lill" <lillanita@hotmail.com> wrote in message
> news:#TQTcgH8DHA.2812@TK2MSFTNGP11.phx.gbl...
> > But it is a fact that it might be interesting to use tunnels inside
an
> > internal network too.
>
> I know, but as an illustration, it might be interesting to drive a
> motorcycle up and down the hallway in your house, but that is not what
it is
> design for. There are so many ways out there to do this "right" why do
you
> want to spend so much time, effort, and creativity, to do it "wrong"?
>
> > In my case I will like to have a Remote Access VPN
> > from the remote client to the server running RRAS/ISA in the
perimeter
> > network. In addition to that, I want to have a server-to-server
> > (host-to-host) VPN tunnel from servers running RRAS inside the
internal
> > network and the RRAS/ISA server in the perimeter network. The
traffic
> > from the remote clients are inspected by the RRAS/ISA server before
it
> > is forwarded to the security zone (subnet), through a new tunnel, to
get
>
> Sounds like a Back-to-back DMZ. You can't do what you think there
either.
> You have to run one Tunnel inside the other Tunnel to even get across
a B2B
> DMZ to begin with and there is no way to "inspect" the contents within
the
> Tunnel.
>
> Read about B2B DMZs and VPN by searching with "DMZ" and "VPN" on
> www.isaserver.org
>
> Your intent to do this with firewalls is just simply wrong. Firewalls
run
> NAT along with the rest of what they do,...you don't want NAT...this
is not
> suitable for what you want to do. You control the content of internal
> traffic by using routers (not firewalls) and subnets,...that's half
the
> reason such things exist,...that is what they are for. now if you
find a
> firewall that you can disable NAT and have it work like a router then
that
> would be fine. ISA won't work for the same reason,...it does
"proxying"
> (similar but different than NAT) and you don't want anything
"proxying" the
> requests between subnets in the private system, it creates a "trusted"
and
> "untrusted" subnet and which ever subnet is the lucky one to be
considered
> "untrusted" gets cut off at the knees and no longer functions as a
LAN.
>
> > I do know that security in the LAN is one thing, and Remote Access
VPNs
> > another. But I do need both in my case, so what I am trying to
define is
> > a scenario where both security issues are defined. I also notice
that
>
> Use Routers with ACLs between the subnets. You have not stated exactly
what
> kind of "unwanted" traffic you are wanting to "inspect" .....you may
be
> going through all this hassle for something that is really a non-issue
> anyway....like for example, use a firewall to stop a virus when that
is not
> what stops viruses, AV software does that.
>
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
- Next message: Jerry: "Login Scripts"
- Previous message: Shashank Welankar: "Re: Hooking POP3 Service of Windows Server 2003"
- In reply to: Phillip Windell: "Re: VPN question"
- Next in thread: Phillip Windell: "Re: VPN question"
- Reply: Phillip Windell: "Re: VPN question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
