IPSec Site to Site

william.culver · ‎03-16-2011

I need to connect a partner site via IPSec Site to Site. I don't have any control over the other site, and have concerns about their security configurations (old O/S, limited, if any antivirus or patching, etc.). They have no server or internal DNS. They will need to access my DNS (Win2K8R2), SharePoint sites, and a few other internal sites. They are not part of my domain or their own domain. How can I restrict their access to only those areas on my side that they absolutely need without having to managing a complex ACL, and at the same time limit my exposure. I am planning on putting in a Windows NAP server, but that won't be an option for a while, and I need to get them connectivity very soon. Any thoughts would be appreciated.

Federico Coto Fajardo · ‎03-16-2011

Hi,

When you create a S2S IPsec VPN, all IP traffic is by default permitted to flow between both sites (networks defined as interesting traffic).

You can create the ACL to permit only the IPs and ports neccesary (but depending on the size of the scenario could be a long or complex ACL).

There are other features that enhance security, for example:

Users can be required to authenticate before accessing any resources on your LAN.

This can be done with an external Radius server.

Besides authentication, authorization can be implemented so that users are validated and only allowed certain permissions.

A lot depends on what you have and can/cannot do.

Hope it helps.

Federico.