> -----Original Message----- > From: Max Ho [mailto:[EMAIL PROTECTED]] > Sent: Saturday, 29 January 2000 8:35 AM > To: [EMAIL PROTECTED] > Subject: Secure Remote client behind FW1-A connects to foreign FW1-B. > > > This question was asked sometime ago by somebody else but got only one > response from the list. I am posting the question again in hopes of a > second and perhaps a third or fourth opinion. The scenario is as > follows; Users behind FW1-A were told to use Secure Remote to > connect to > FW1-B which belongs to another organization. Well, I don't use FW-1, m'self, but as I understand it, SecuRemote is an IPSec compatible client. Assuming that this connection is supposed to happen via IPSec, then I can offer some opinions. > Folks at FW1-B > are asking > that ports TCP 256, TCP 259, UDP 256, 137, 138, 139 on FW1-A to be > opened for the users behind A to get to B. Uh...riiiiiight. > > Questions; > 1. Is it possible to compromise the network security behind FW-A using > the VPN connection established between the users' clients and FW1-B? > That is, can machines behind FW1-B get into the network behind FW1-A > with this arrangement? Always. You have an internal client connected to a network you don't neccessarily trust. If it is possible to compromise the client PC then you're shot - the client effectively becomes a low security router with connections to your internal network and to the VPN network. This is not unique to this situation though. The risk _does_ become greater, however, when windows file sharing is involved - and it looks like that's what they've got planned judging by the ports they want opened. > 2. Why is it necessary to open ports 256, UDP 259, 137, 138, > 139? As usual, I'm prepared to make broad sweeping assertions. Um, it's not neccessary. They made it up. It's possible that these are the ports they want open once the VPN connection is established, but under the model they propose this would all be done at their end anyway. > What > risks are involved with these ports opened? Many. 137, 138 and 139 are the MS NetBIOS ports. They are used for authentication, file sharing, printing and lots of other exploitable services. I fact, I hate these ports so much that I usually explicitly block them on the way in _and_ the way _out_ of networks. > > Any opinion from experts on this list is much appreciated. You'll have to make do with mine. If you have two FW-1 boxes, the _good_ way to do this is to use the VPN thingy (VPN-1 ?). This would involve setting up a VPN "tunnel" between your two networks. Traffic between your network and your business partner's network would be encrypted, but apart from that it would all look like nice normal routes, and the normal restrictions could apply. The endpoints of the VPN would be the firewalls, so no client-side jiggery-pokery would be neccessary. If you want to do this from the client, then be aware that weird things may happen if you're using NAT for your network. Go look in the archives for "IPSec && NAT" and read up. However, if you can get around all the problems, then for IPSec/IKE you need to communicate on UDP port 500 (unless you use pre-shared keys) and you certainly need to allow IP protocol numbers 50 and 51. If SecuRemote uses some "Checkpoint Thing", then ignore this completely. Anyway, HTH - any FW-1 guys out there wanna chip in? Huh? ;) Cheers! -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
