Re: VPN question

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Phillip Windell (_at_.)
Date: 02/13/04 

Date: Fri, 13 Feb 2004 10:03:06 -0600

There is no more I can do with this. You have such an odd design and I have
no topology map for either the logical or physical topology and I cannot see
the system with my own eyes. If I worked there I suspect there would end up
being major design changes and I don't think I would have any hope of doing
anything with what you have and how you are trying to do this. 

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
"lill" <lillanita@hotmail.com> wrote in message
news:#rzwJAg8DHA.2416@TK2MSFTNGP10.phx.gbl...
> By tunneling traffic inside the internal network you do not have to open
> the internal firewalls for all kinds of traffic, only for VPN traffic
> (IKE, AH etc.). Not all firewalls run NAT, and firewalls inside the
> internal network is necessary to separate traffic in different security
> zones and inspect traffic between zones.
>
>
> -Lill-Anita
>
>
> "Phillip Windell" <@.> wrote in message
> news:uyE4e0L8DHA.1936@TK2MSFTNGP12.phx.gbl...
> > "lill" <lillanita@hotmail.com> wrote in message
> > news:#TQTcgH8DHA.2812@TK2MSFTNGP11.phx.gbl...
> > > But it is a fact that it might be interesting to use tunnels inside
> an
> > > internal network too.
> >
> > I know, but as an illustration, it might be interesting to drive a
> > motorcycle up and down the hallway in your house, but that is not what
> it is
> > design for. There are so many ways out there to do this "right" why do
> you
> > want to spend so much time, effort, and creativity, to do it "wrong"?
> >
> > > In my case I will like to have a Remote Access VPN
> > > from the remote client to the server running RRAS/ISA in the
> perimeter
> > > network. In addition to that, I want to have a server-to-server
> > > (host-to-host) VPN tunnel from servers running RRAS inside the
> internal
> > > network and the RRAS/ISA server in the perimeter network. The
> traffic
> > > from the remote clients are inspected by the RRAS/ISA server before
> it
> > > is forwarded to the security zone (subnet), through a new tunnel, to
> get
> >
> > Sounds like a Back-to-back DMZ.  You can't do what you think there
> either.
> > You have to run one Tunnel inside the other Tunnel to even get across
> a B2B
> > DMZ to begin with and there is no way to "inspect" the contents within
> the
> > Tunnel.
> >
> > Read about B2B DMZs and VPN by searching with "DMZ" and "VPN" on
> > www.isaserver.org
> >
> > Your intent to do this with firewalls is just simply wrong. Firewalls
> run
> > NAT along with the rest of what they do,...you don't want NAT...this
> is not
> > suitable for what you want to do. You control the content of internal
> > traffic by using routers (not firewalls) and subnets,...that's half
> the
> > reason such things exist,...that is what they are for.  now if you
> find a
> > firewall that you can disable NAT and have it work like a router then
> that
> > would be fine.  ISA won't work for the same reason,...it does
> "proxying"
> > (similar but different than NAT) and you don't want anything
> "proxying" the
> > requests between subnets in the private system, it creates a "trusted"
> and
> > "untrusted" subnet and which ever subnet is the lucky one to be
> considered
> > "untrusted" gets cut off at the knees and no longer functions as a
> LAN.
> >
> > > I do know that security in the LAN is one thing, and Remote Access
> VPNs
> > > another. But I do need both in my case, so what I am trying to
> define is
> > > a scenario where both security issues are defined. I also notice
> that
> >
> > Use Routers with ACLs between the subnets. You have not stated exactly
> what
> > kind of "unwanted" traffic you are wanting to "inspect" .....you may
> be
> > going through all this hassle for something that is really a non-issue
> > anyway....like for example, use a firewall to stop a virus when that
> is not
> > what stops viruses,  AV software does that.
> >
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> >
>
>

Relevant Pages

  • Re: VPN question
    ... By tunneling traffic inside the internal network you do not have to open ... Not all firewalls run NAT, ... > You have to run one Tunnel inside the other Tunnel to even get across ... >> I do know that security in the LAN is one thing, ...
    (microsoft.public.windows.server.networking)
  • Telnet over WAN latency troubleshooting
    ... The sites are tied together using Sonicwall TZ170 firewalls, ... We're getting terrible latency on interactive telnet sessions. ... Firewall and tunnel MTUs are set at 1404 bytes ... firewall) I see about 1% less packet loss. ...
    (comp.os.vms)
  • Re: What is DMZ?
    ... DMZ is in computer security terms a network ... nor the internal network, but somewhere in between. ... using two firewalls you add another layer of security. ... between the internal network and the compromised host. ...
    (comp.security.firewalls)
  • Re: Online Arrmor
    ... The primary reason most commonly seen is that people ... Firewalls" instead of making it more secure. ... by not opening useless popups like with Windows Vista. ... system design and implementation. ...
    (comp.security.firewalls)
  • Re: VPN question
    ... > network and the RRAS/ISA server in the perimeter network. ... > is forwarded to the security zone (subnet), through a new tunnel, to get ... You have to run one Tunnel inside the other Tunnel to even get across a B2B ... Your intent to do this with firewalls is just simply wrong. ...
    (microsoft.public.windows.server.networking)