We're starting to roll out a new system in conjunction with our Telco which
sits on top of ADSL and goes nowhere near the Internet. According to the
marketing blurb, it is un-hackable. I wasn't born yesterday and I take
anything marketing people say with a grain of salt. It works like this:
We have an E1 connection to head Office (but it can be anything up to ATM).
We have a RADIUS server in Head Office for authentication. We connect the
telco's router through our firewall for extra protection.
The SOHO user has an ADSL connection. When the ADSL router connects to the
telco, it sends its authentication information to their RADIUS server, which
passes the request downstream to us. Part of the user id is a realm, in our
case @ssi.co.nz. This is how the Telco determines which server to auth with.
We authenticate the tokens, and either pass configuration information back
or a NACK. Part of the configuration information is an IP address, which is
from our network range. The ADSL router is then configured with an IP
address that makes the SOHO look like it is in our office. Communication is
directly between us and the SOHO, no middleman.
The speeds are good. Betwen 2 and 8 Mbps.
An added bonus is that the Telco can now offer the same security over a
dial-up. Same story. The road-warrior dials a special number, authenticates
using our realm name, gets a secure connection.
The big bonus is that we don't have to invest a ton of cash in RAS etc.
Because our RADIUS server is on a different leg of the server, we can look
for intrusion profiles. Here is the downside. If I give my business card to
Harry the Hacker, who has an ADSL connection for the Internet, he can try
guessing my realm name (not a lot of immagination there) and try a
dictionary attack to crack my password. We can log all such attempts at the
firewall, extract the MAC address from the logs, inform the Telco, who
terminate his access. Viola!
That is one way of doing it.
Globally, our company is looking at a Hybrid system involving Checkpoint and
Cisco. Firewalls will be deployed at sites which need direct access to the
internet etc. Cisco routers (ranging from the 850 I believe) will have
encryption cards installed, and they will set up an IPSec tunnel either with
the Firewall, or with another Cisco router, which would sit in an
'encryption DMZ'. A convoluted way of doing it, but it a very expandable
architecture. the beauty of this is that the Cisco routers are very simple
to manage. I haven't used one in a VPN before, but I'm willing to give it a
shot !
Craig/
-----Original Message-----
From: Eddy Kalem [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 23, 2000 6:15 AM
To: [EMAIL PROTECTED]
Subject: VPN Links
I'm trying to rack my brain here and figure out how companies are
implementing VPN solutions over the Internet for their SOHO employees. The
main concern is the SOHO getting hacked, and then compromise the corporate
network through the VPN link, and we don't want to deal with maintaining a
firewall at 25+ SOHOs. Any ideas or suggestions?
TIA,
Eddy Kalem
Network Operations Manager
Phyve, formerly Digital Medical Systems
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
