Guest ac130 Posted November 6, 2008 Posted November 6, 2008 We have a new application we are hosting internally in an As/400 (all other servers are Win2k3 servers including DC) and we need to give our clients access to it so they can enter/edit data and upload files. The same application is also being used internally by our employees. The data involved is very sensitive all connections must be encrypted. Our first test client, also our biggest, insists on a site-to-site vpn. We have a PIX and while I am not that familiar with vpns, we can get a resource to create the vpn if we need to, the client has a PIX as well and they will handle the configuration on their end. I'm very uneasy about creating a persistent vpn connection with another organization whose security practices and policies we don't control. We toyed with the idea of having them connect via Remote Desktop to one of our worstations and invoke the client app from there but uploading and downloading data is clunky and slow. I feel we are opening our doors, and keeping them open, to people we don't know. Are my fears unfounded? Can we create the site-to-site vpn in such a way that it prohibits external users from exploring our network? What happens if they have a virus outbreak? What other ideas for connecting our clients, can I explore? Any thoughts and comments are appreciated. Thank you. Quote
Guest Philippe Gillet [CISSP-CISA-CISM Posted November 6, 2008 Posted November 6, 2008 Hi, Indeed it is the main problem with Site to Site VPN. This is often done in the context of a company with many offices in many countries. In that case, the security policy is the same for the company and they can control what is done with multiple access control software, logs ,etc... In your case, you give a complete access to your LAN to the other company. Yes, you open the door, clearly ! You have 3 solutions: --> you make an agreement where you state that they will be monitored, they will have to respect your security policy, etc... You can monitor their potential fraudulent activities with an IDS for example.. to be sure to detect viruses, hacking, etc... The main problem with that is the reaction time: You will act after the problem happens.... not before. --> You restrict their VPN and redirect them to a VLAN or isolated private LAN, and enforce an ACL that will only permit them to make file transfer and RDP for example. --> You don't make a Site-to Site VPN. You allow them to use FTP + RDP + others if necessary ( it's better to use sftp or scp...) to get the files. but you have to create a server with a ftp server or equivalent and make the Port address translation on your PIX. The choice is yours. (don't choose the first if possible...) +++ Excuse my bad english writing ;-( "ac130" <ac130@discussions.microsoft.com> a écrit dans le message de groupe de discussion : A1748EA6-5C3A-41C6-87B0-5CAF71F8CD01@microsoft.com...<span style="color:blue"> > We have a new application we are hosting internally in an As/400 (all > other > servers are Win2k3 servers including DC) and we need to give our clients > access to it so they can enter/edit data and upload files. The same > application is also being used internally by our employees. The data > involved > is very sensitive all connections must be encrypted. > > Our first test client, also our biggest, insists on a site-to-site vpn. We > have a PIX and while I am not that familiar with vpns, we can get a > resource > to create the vpn if we need to, the client has a PIX as well and they > will > handle the configuration on their end. > > I'm very uneasy about creating a persistent vpn connection with another > organization whose security practices and policies we don't control. We > toyed > with the idea of having them connect via Remote Desktop to one of our > worstations and invoke the client app from there but uploading and > downloading data is clunky and slow. I feel we are opening our doors, and > keeping them open, to people we don't know. Are my fears unfounded? Can we > create the site-to-site vpn in such a way that it prohibits external users > from exploring our network? What happens if they have a virus outbreak? > What > other ideas for connecting our clients, can I explore? > > Any thoughts and comments are appreciated. Thank you. </span> Quote
Guest ac130 Posted November 7, 2008 Posted November 7, 2008 Phillippe, Thank you for taking the time to answer my questions. Your post validated my concerns about creating the site to site vpn to our client. We've actually discussed a scenario similar to your second suggestion and we're probably going to implement something similar. Again thanks for your input and by the way, your English is perfectly fine style_emoticons/ "Philippe Gillet [CISSP-CISA-CISM]" wrote: <span style="color:blue"> > Hi, > > Indeed it is the main problem with Site to Site VPN. This is often done in > the context of a company with many offices in many countries. > In that case, the security policy is the same for the company and they can > control what is done with multiple access control software, logs ,etc... > In your case, you give a complete access to your LAN to the other company. > Yes, you open the door, clearly ! > You have 3 solutions: > > --> you make an agreement where you state that they will be monitored, they > will have to respect your security policy, etc... You can monitor their > potential fraudulent activities with an IDS for example.. to be sure to > detect viruses, hacking, etc... > The main problem with that is the reaction time: You will act after the > problem happens.... not before. > > --> You restrict their VPN and redirect them to a VLAN or isolated private > LAN, and enforce an ACL that will only permit them to make file transfer and > RDP for example. > > --> You don't make a Site-to Site VPN. You allow them to use FTP + RDP + > others if necessary ( it's better to use sftp or scp...) to get the files. > but you have to create a server with a ftp server or equivalent and make the > Port address translation on your PIX. > > > > The choice is yours. (don't choose the first if possible...) > > > +++ > > Excuse my bad english writing ;-(</span> Quote
Guest Newell White Posted November 7, 2008 Posted November 7, 2008 "ac130" wrote: <span style="color:blue"> > Phillippe, > > Thank you for taking the time to answer my questions. Your post validated my > concerns about creating the site to site vpn to our client. We've actually > discussed a scenario similar to your second suggestion and we're probably > going to implement something similar. > > Again thanks for your input and by the way, your English is perfectly fine style_emoticons/ > > > "Philippe Gillet [CISSP-CISA-CISM]" wrote: > <span style="color:green"> > > Hi, > > > > Indeed it is the main problem with Site to Site VPN. This is often done in > > the context of a company with many offices in many countries. > > In that case, the security policy is the same for the company and they can > > control what is done with multiple access control software, logs ,etc... > > In your case, you give a complete access to your LAN to the other company. > > Yes, you open the door, clearly ! > > You have 3 solutions: > > > > --> you make an agreement where you state that they will be monitored, they > > will have to respect your security policy, etc... You can monitor their > > potential fraudulent activities with an IDS for example.. to be sure to > > detect viruses, hacking, etc... > > The main problem with that is the reaction time: You will act after the > > problem happens.... not before. > > > > --> You restrict their VPN and redirect them to a VLAN or isolated private > > LAN, and enforce an ACL that will only permit them to make file transfer and > > RDP for example. > > > > --> You don't make a Site-to Site VPN. You allow them to use FTP + RDP + > > others if necessary ( it's better to use sftp or scp...) to get the files. > > but you have to create a server with a ftp server or equivalent and make the > > Port address translation on your PIX. > > > > > > > > The choice is yours. (don't choose the first if possible...) > > > > > > +++ > > > > Excuse my bad english writing ;-(</span> > </span> If you terminate the VPN connection in your Pix firewall then access is not necessarily wide open. You can configure the Pix to restrict the range of IP addresses in your LAN that the VPN connection can access. I forget the exact details but I learnt this and implemented it when setting up 'split-tunnelling' in this context some years ago. A search on this term + 'Cisco Pix' should get you some info. -- HTH, Newell White Quote
Guest Philippe Gillet [CISSP-CISA-CISM Posted November 7, 2008 Posted November 7, 2008 No problem. You are welcome style_emoticons/ "ac130" <ac130@discussions.microsoft.com> a écrit dans le message de groupe de discussion : 1ACAA752-7F04-443F-B994-D8AE683AF900@microsoft.com...<span style="color:blue"> > Phillippe, > > Thank you for taking the time to answer my questions. Your post validated > my > concerns about creating the site to site vpn to our client. We've actually > discussed a scenario similar to your second suggestion and we're probably > going to implement something similar. > > Again thanks for your input and by the way, your English is perfectly fine > style_emoticons/ > > > "Philippe Gillet [CISSP-CISA-CISM]" wrote: ><span style="color:green"> >> Hi, >> >> Indeed it is the main problem with Site to Site VPN. This is often done >> in >> the context of a company with many offices in many countries. >> In that case, the security policy is the same for the company and they >> can >> control what is done with multiple access control software, logs ,etc... >> In your case, you give a complete access to your LAN to the other >> company. >> Yes, you open the door, clearly ! >> You have 3 solutions: >> >> --> you make an agreement where you state that they will be monitored, >> they >> will have to respect your security policy, etc... You can monitor their >> potential fraudulent activities with an IDS for example.. to be sure to >> detect viruses, hacking, etc... >> The main problem with that is the reaction time: You will act after the >> problem happens.... not before. >> >> --> You restrict their VPN and redirect them to a VLAN or isolated >> private >> LAN, and enforce an ACL that will only permit them to make file transfer >> and >> RDP for example. >> >> --> You don't make a Site-to Site VPN. You allow them to use FTP + RDP + >> others if necessary ( it's better to use sftp or scp...) to get the >> files. >> but you have to create a server with a ftp server or equivalent and make >> the >> Port address translation on your PIX. >> >> >> >> The choice is yours. (don't choose the first if possible...) >> >> >> +++ >> >> Excuse my bad english writing ;-(</span> > </span> Quote
Guest Anteaus Posted November 9, 2008 Posted November 9, 2008 This is true, though IP controls only limit the access to specific computers. They do not, for example, prevent an Administrator logon to your server with a leaked or brute-forced password, from an authorised IP address. This I feel is one of the limitations of hardware VPNs, they in most cases offer no way to prevent unwanted or undesirable remote logons. With such a setup you need to be extremely vigilant over weak user-passwords, particularly on priveleged accounts, since it takes only one weak password out of many to negate the security of your LAN. FTP on the other hand allows you to exercise control over what users can and cannot do remotely, in a way that SMB (file sharing) logons do not. Although less user-friendly than SMB sharing, it allows admins to sleep more easily. "Newell White" wrote: <span style="color:blue"> > > If you terminate the VPN connection in your Pix firewall then access is not > necessarily wide open. > You can configure the Pix to restrict the range of IP addresses in your LAN > that the VPN connection can access. > I forget the exact details but I learnt this and implemented it when setting > up 'split-tunnelling' in this context some years ago. > </span> Quote
Guest S. Pidgorny Posted November 10, 2008 Posted November 10, 2008 G'day: Philippe Gillet [CISSP-CISA-CISM] wrote:<span style="color:blue"> > Hi, > > Indeed it is the main problem with Site to Site VPN. This is often done > in the context of a company with many offices in many countries. > In that case, the security policy is the same for the company and they > can control what is done with multiple access control software, logs > ,etc... > In your case, you give a complete access to your LAN to the other > company. Yes, you open the door, clearly !</span> Incorrect. One can apply firewall rules to the VPN traffic and limit incoming connections within the tunnel to those actually required for particular partnership. In case when location of the connecting workstation in the partner organisation cannot be predicted, site to site VPN is appropriate. -- Svyatoslav Pidgorny, MCSE, RHCE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.