Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
4
Helpful
2
Replies

Extranet VPN security

paddyxdoyle
Level 6
Level 6

‎03-08-2005 06:07 AM

Hi,

Can someone help me out with the best way to secure an extranet VPN.

Its basically to give 3rd party companies access to support and troubleshoot some of our systems.

I can envisage two VPN scenarios:

Company A who has a VPN gateway so a static site to site VPN needs to be setup

Company B with no VPN gateway so a dynamic VPN needs to be setup with some kind of VPN Client

I have configured static IPSEC router to router VPNs before where security was not a major implecation as all sites were under our management and we were using private cicruits

To start with we are going to use a spare 3640 router running IPSEC 3DES feature set, and we have an ACS server for AAA

So far i have come up with:

1. access-lists on the external interface of the router permiting ISAKMP and ESP to/from the remote VPN gateways's IP addresss.

2. access-lists on the internal interface permitting access to certain areas of our network to/from the actual source addresses using certain protocols.

3. Individual shared secret keys, this is possible as the usage of the static VPNs won't be on a large scale.

4. lock down the router using normal methods.

Other than this, i can't see any other method of security from a router perspective and would be grateful if someone can confirm or make some suggestions

Also, Is there any way of logging VPN access to an AAA server using a static site to site VPNs, i know you can use Xauth for this however i am not too sure what part xauth can play in a static VPN.

Thanks

Paddy

Labels:
0 Helpful
2 Replies 2

d-garnett
Level 3
Level 3

‎03-09-2005 10:53 PM

First off make sure your policy and contract with them are tight.

LAN2LAN VPN

As far as Router to Router, that's about all I can think of (especially if the internal clients get IP addresses via DHCP) although I'd leverage an open source network monitoring application such as NTOP http://www.ntop.org/ntop.html to keep abreast of all the traffic "flowing through" your network. That LAN to LAN setup with a 3rd party may not sit well with you in the long term. If you go this route make sure your security policy/strategy accounts for Viruses, Worms, and legal actions. If not you may be in for headaches if and when something goes bad.

______________________________________________

Remote Access VPN

Personally, I would personally prefer for them to use Cisco VPN Client if I were in your shoes because of the Centralized Accountibility (AAA) factor. Also if there are going to be more than a few employees of the outside company accessing the internal computers, I'd look into Digital Certificates for authentication.

_________________________________________________

PC Remote Control Applications and NAT

If you do not have a large number of machines that need to be accessed and they all have static IP Addresses, you can do the following (at least this is how I have handled this in the past)..........

Make the outside company use an Application such as RemoteAdministrator2.2 (uses AES encryption) Client and install the Server portion on your systems to be accessed. http://www.famatech.com/radmin/

Configure Port Redirection on your VPN Gateway

(i.e., YOUR-GLOBAL-IP:11201 = 10.11.20.1:xxxxx)

where xxxxx=whatever port you make RAdmin Server listen on.

Lock these ports to be accessed down to only the 3rd parties IP Address.

The beauty of RAdmin is that all attempts can be logged on the PC that is being access to Windows Event Viewer or a text file. Plus all the traffic is encrypted with AES.

Plus this way you would not need to use the 3600 Router

________________________________________________

PC Remote Control Applications and Remote Access VPN

You could also use the Remote Acess VPN method together with and RAdmin, skip the Port Redirection aspect and have a the computers accessed via your internal DNS instead of IP Address. These means every user that logs in is A logged by Cisco AAA Server and B logged by the actual PC that is accessed.

bfisher
Level 1
Level 1
In response to d-garnett

‎12-18-2006 09:58 AM

Hello,

Can you eleaberate on just how to Configure Port Redirection on your VPN Gateway (Specifically) PIX 506E. I am a newbie.

We use Radmin and right now I can VPN in to the private network and the VPN connection is established just fine. However when I try to establish a Radmin connection to another Lan nothing.

Thanks in advance

0 Helpful
Customers Also Viewed These Support Documents