Does any one see a problem with this;
-------------------------- router
------------------- FW ---------------- LDAP
--------------------------- Internal Network
handles IPSec
the encrypted tunnel is created from the source. In this case using
a smart card set up. CISCO router decrypts the packets, fwd to the FW and
authentication occurs at the LDAP server which only accepts packets from the
router doing the decrypting. NAT is still done by the FW. Everything b/t
the router and the FW is not encrypted.
From: Valerie Anne Bubb <[EMAIL PROTECTED]> on 07/26/2000 10:56 AM
To: [EMAIL PROTECTED]@SMTP@Aus Exchange, John G
Taylor/NZIAU/AU@General Accident Group
cc:
Subject: Re: IPSEC
John -
While I haven't set up a smart card system, there is a
general guideline for handling encryption and NAT.
Basicly, you need NAT to occur before the packet
is encrypted, or not at all*.
For your setup, you can put the LDAP server on the inside
of your network, so that the traffic does not need to
be NATed. Or, you can set up your firewall to
do both the encryption and the NAT (most firewalls will
do the NAT on the packet first, then encrypt, so that
the hash values work out).
Another option is to have the firewall tunnel these
packets over the wire to another firewall that will return
the packets to their original IP state before forwarding
onto the LDAP server.
hth
Valerie
(* you can also not use MD5 authentication, in which
case the fact that the IP header has changed won't
matter. Also, some crypto tools have a special
authentication that doesn't take the IP header into
account in the hash.)
> Delivered-To: [EMAIL PROTECTED]
> From: John G Taylor <[EMAIL PROTECTED]>
>
> Has anyone set up a smart card system or similar on their site?
If so, can
> someone please offer some suggestions as how they over came the
following
> problem.
>
>
> IPSEC packets sent are NATed by the firewall and of course, as a
result the
> hash value is changed due to the header of the incoming packet
having to
> change for the addressing to the LDAP server. Now the main
question is, how
> did anyone overcome this? Where did they put the LDAP server?
DMZ,
> Internal, External? My thoughts aret hat you would put the LDAP
server in
> the DMZ and direct address it from the source.
>
> Any thoughts would be good.
>
> John Taylor
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
