Hi folks,
Summary
Is it possible to filter what traffic can go through a VPN, controlled by the sysadmins in outbound (source) network .. not the inbound (destination) network's sysadmins?
Details
I'm currently working onsite at a client. They are a large company with a strict internet/intranet policy. To access my own computer/dev servers, I need to VPN to my own work network, and then access the servers accordingly. Nothing to hard there.
BUT, at this client, they are very very restrictive over what ports can be opened up, outbound. VPN is not one of them. So after a few discussions, it seems they will open up VPN, provided they can control what ports will be allowed over the VPN tunnel.
Now, I know I can port block on our own VPN but set this up from OUT own side. The client i'm at don't like this .. because even though we might pass the test today .. they said that tomorrow we can suddenlt relax/change the port filters and now break their security policy.
So, is it possible that the client i'm working at, they can config their network so that when I request to make a VPN connection to my static VPN server IP, they allow that connection AND only allow certain ports opened.
I'm under the impression that this won't work because all port traffic gets tunnelled through the single VPN connection ... which is encrypted .. so the client i'm working at has no way to interrigate the traffic i'm trying to pass through?
I hope I'm wrong :)
Can anyone help, here?
- 
                        Firstly you could ask them to open up ssh and create tunnels down this for what ever port you want. Secondly how to you propose to set up the VPN? If they create the VPN on their firewall they can limit the interesting traffic to what ever they want. They can also set up ACLs on this VPN. Also at the end of the day if you are working on their network locally how come they will not allow you to access your dev environment. It sounds counter productive J Pure.Krome : @James : hi :) Sorry, but I don't understand what you mean. So with SSH, who sets this up? The destination network or place i'm co-loc'd at - the source network? I have no idea what an SSH tunnel (well, I sorta do, but lets assume I don't because this post confused me). Secondly, i also don't understnad what you mean with your VPN statement. Currently, VPN is setup .. my company did that. Now of course, my company can create restrictions and ACL's... but that is not the issue. It's the place where i am, that want to control that.James : ok first things first; I assume the VPN you are talking about you are using a client on you local machine to connect back into your company. What I mean is you use their (your clients) infrastructure to set up the VPN. For example from their firewall to your company. That way your client can set the rules of the firewall. Second a ssh tunnel is a bit more complicated. And if you don't understand it, it is probably not the best choice for you. May be ask some unix heads in your company. JFrom James
- 
                        You don't mention what VPN technology you use or what initiates the VPN connection. I am assuming you are initiating the VPN from your desktop system? What I propose is that you add a second network to your desktop, and then you setup a broadband router to do create the VPN to your personal network, instead of initiating the VPN from your desktop. Then you can give control of the device that initiates the VPN to them. They can adjust the firewall policy of the VPN access device to conform with whatever rules they need. This would allow them to control they want, but it does to a certain extent compromise your network, if cannot trust them to not allow anyone else to connect to the device creating the VPN. Pure.Krome : Our VPN server (i think) is a windows box server. I'm on a mac (and i've done this on a PC, at home).. a simple PPTP vpn connection. real real basic. SO, if the client company creates the VPN connection themselves .. they could filter the ports, there?Zoredache : Yes, if the initiate the VPN from some device able to do routing then they should be able to setup filters.From Zoredache
- 
                        I hope I'm wrong :) I hope you're right! I wouldn't want anyone fiddling with my private VPN traffic. In any case since you're in control of the VPN server you can make it listen on any port you want even port 80. I doubt they block that. (They could do application level screening however and find out that it is not HTTP traffic.) Pure.Krome : I know _I_ can filter ports on our VPN server, end. That's not a problem, but the client cannot accept that .. because even if we pass their audit today, we can (in theory) open up all the ports tomorrow and they won't know about it .. thus violating their policy. They need to be able to control the filtering.From Marki
 
0 comments:
Post a Comment