Date: Thu, 13 Apr 2000 10:16:00 -0500 (CDT) From: Visigoth <visigoth@telemere.net> To: net admin <admin@pacex.net> Cc: FreeBSD-security@FreeBSD.org Subject: Re: VPN and Firewall security implementation Message-ID: <Pine.BSF.4.21.0004131005290.33115-100000@shell.telemere.net> In-Reply-To: <Pine.BSF.4.10.10004121423290.61373-100000@almazs.pacex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Apr 2000, net admin wrote:
> Hi Folks;
> I am posting this question with the full understanding of the the posting
> gudelines for this list and according to the list charters I think my
> question qualifies as a security thechnical issue. If I am wrong I
> appologize.
> We have FreeBSD-3.3-STABLE mail/HTTP/DNS/RADIUS servers on a lan behind a
> Cisco IOS firewall/router setup, with some servers running ipfw
> for added security.
> Some of our corporate dialup clients are using various VPN implementation
> to dial to corporate networks through our network (some use MS VPN stuff
> and some use proprietory remote access S/W).
How many different pieces of software are you talking about? If
it isn't more than a few, and you would like to maintain the rampant
paranoia of default deny (my personal fav) Maybe try doing a little
tcpdump and other homework to see exactly what they need. I understand
that this is probably unreasonable if you are talking like 50 kinds of
software (unless they all comply to some standard).
> The problem we're having is that configuring our firewalls for
> mail/DNS/HTTP/RADIUS allows user full access to those services but not
> remote access to corporate LANs and we don't know what services to allow
> to accomodate the corp. customer because of the varied implementation of
> VPN stuff out there. We are now considering redesigning our fire wall to
> deny specific services (known security holes) and allow the rest, I know
> it is bad design policy but revenue is at stake here.
If your network is going to be very dynamic and have lots of
different software being used for VPN, this may end up being your only
solution. Many isp's have some of the same issues, and most of the ones
that I have seen deal with it this second way, but I would recomend doing
a system audit on each of your servers to find out what it has open, and
maybe even implementing software firewalls for each box... ;)
This also sort of depends if the firewall is intended to protect your
machines, or the machines of your clients (which you can't secure
yourself)...
> What will be a
> sensible security consious solution to this kind of problem.
>
> Thanks and sorry if am being trival.
I dont' think this issue is trivial at all..
Visigoth
Damieon Stark
Sr. Unix Systems Administrator
visigoth@telemere.net
____________________________________________________________________________
|
- M$ Win 2K was built for the internet. |
- Unix _BUILT_ the internet. | FreeBSD - The POWER to serve
| http://www.freebsd.org
your call... |
|
How do I set this laser printer to stun?|
----------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0004131005290.33115-100000>