From owner-freebsd-security Wed Apr 12 14:44:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from almazs.pacex.net (dns1.pacex.net [209.189.111.246]) by hub.freebsd.org (Postfix) with ESMTP id 28AFF37B6B6 for ; Wed, 12 Apr 2000 14:44:18 -0700 (PDT) (envelope-from admin@pacex.net) Received: from almazs.pacex.net (almazs.pacex.net [209.189.111.246]) by almazs.pacex.net (8.9.3/8.9.3) with ESMTP id OAA61438 for ; Wed, 12 Apr 2000 14:44:18 -0700 (PDT) Date: Wed, 12 Apr 2000 14:44:18 -0700 (PDT) From: net admin To: FreeBSD-security@FreeBSD.org Subject: VPN and Firewall security implementation Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Folks; I am posting this question with the full understanding of the the posting gudelines for this list and according to the list charters I think my question qualifies as a security thechnical issue. If I am wrong I appologize. We have FreeBSD-3.3-STABLE mail/HTTP/DNS/RADIUS servers on a lan behind a Cisco IOS firewall/router setup, with some servers running ipfw for added security. Some of our corporate dialup clients are using various VPN implementation to dial to corporate networks through our network (some use MS VPN stuff and some use proprietory remote access S/W). The problem we're having is that configuring our firewalls for mail/DNS/HTTP/RADIUS allows user full access to those services but not remote access to corporate LANs and we don't know what services to allow to accomodate the corp. customer because of the varied implementation of VPN stuff out there. We are now considering redesigning our fire wall to deny specific services (known security holes) and allow the rest, I know it is bad design policy but revenue is at stake here. What will be a sensible security consious solution to this kind of problem. Thanks and sorry if am being trival. Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message