Re: [fw-wiz] incoming NAT/PATs for VPN users

To:	Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Subject:	Re: [fw-wiz] incoming NAT/PATs for VPN users
From:	Dave Piscitello <dave@corecom.com>
Date:	Mon, 12 Feb 2007 10:01:35 -0500
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	fwwizards-list2@consult.net
Delivered-to:	firewall-wizards@listserv.icsalabs.com
In-reply-to:	<3c4611bc0702091350y41baaf8dwfe932f74ed612b0e@mail.gmail.com>
List-archive:	<https://listserv.icsalabs.com/pipermail/firewall-wizards>
List-help:	<mailto:firewall-wizards-request@listserv.icsalabs.com?subject=help>
List-id:	Firewall Wizards Security Mailing List <firewall-wizards.listserv.icsalabs.com>
List-post:	<mailto:firewall-wizards@listserv.icsalabs.com>
List-subscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=subscribe>
List-unsubscribe:	<https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards>, <mailto:firewall-wizards-request@listserv.icsalabs.com?subject=unsubscribe>
Organization:	Core Competence
References:	<3c4611bc0702091350y41baaf8dwfe932f74ed612b0e@mail.gmail.com>
Reply-to:	dave@corecom.com, Firewall Wizards Security Mailing List <firewall-wizards@listserv.icsalabs.com>
Sender:	firewall-wizards-bounces@listserv.icsalabs.com
User-agent:	Thunderbird 1.5.0.9 (Windows/20061207)

I find it's much easier to design solutions for this kind of requirementat the user rather than network/host level.

We designed SSL VPNs to handle this kind of requirement for companies aslarge as DuPont and as small as 250 employees. Essentialy our clientswanted a per object authorization (e.g., a web page, a file share) andthey want to create groups (employees within a partner company, supplychain providers, customers) that are authorized to access this object(or set of objects). Most SSL VPN products we've used and recommendedallow different authentication methods for user groups, so you can have2-factor for employees, UIPW for supply chain or customers, etc.


Brian Loe wrote:

Lets say company A has a customer, company B. Company A needs to
provide access to several (lets say many) resources within its network
to a thousand or so employees at company B. Seems to me that you could
simply PAT all of company B's connections when they arrive and the
magic of networking should get them routed to the resources you've
allowed them and back without any problem. Is there something I'm
missing here?

Is an incoming PAT not available on, for instance, an ASA? What about
a PIX at 6.x or 7.x? What about incoming NAT pools for over a thousand
possible users? Anything change if they're physically coming in on a
DMZ port as opposed to the outside port - and needing access to
resources in another, lower DMZ port (don't ask why a VPN customer
would be trusted more than company A's web servers, that's just how it
is in this virtual company)?

I know we're not alone in providing VPN access to customers but I'm
virtually convinced everyone else is doing it better. I'm just hunting
real world examples of the "right way" of doing it.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

dave.vcf
Description: Vcard

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [fw-wiz] incoming NAT/PATs for VPN users, Dave Piscitello <=

Previous by Date:	Re: [fw-wiz] Firewall bake-off?, Jim MacLeod
Next by Date:	Re: [fw-wiz] Firewall bake-off?, Marcus J. Ranum
Previous by Thread:	[fw-wiz] Virtualization and firewalling?, Paul D. Robertson
Next by Thread:	[fw-wiz] Firewal with SSH inspection? (was Re: Firewall bake-off?), K K
Indexes:	[Date] [Thread] [Top] [All Lists]