I'm in the process of trialling SecuRemote at two client sites. My initial
trials have led me to a conclusion that I thought I should run by the many
experts on this list. I know there are lots of people running SecuRemote
(the list is full of SecuRemote traffic).
Background
All our firewalls have at least one router on either side of the firewall
to provide additional protection using router ACLs. These ACLs are used on
the external router to tightly control access to resources on the DMZ. On
the internal router ACLs are used to do the same sort of thing for the
internal LAN. The firewall policy of course backs up these ACLs, provides
stateful inspection, etc. as well as additional logging.
Typically, the external and internal router ACLs do not allow any
connections from the Internet to the firewall, or to internal resources.
With SecuRemote we are obviously looking at people on the Internet being
able to access internal servers so that they effectively become part of the
LAN.
Problem
As far as I can see, we need to significantly relax our ACLs on both our
routers, and rely on the firewall more, to allow SecuRemote users to access
internal resources. As a packet comes in from the SecuRemote PC, it hits
the firewall, gets decrypted, and continues on (depending on the firewall
policy) to the internal server, whatever that may be. So my internal router
ACLs, for instance, need to allow any IP to contact an internal server on
whatever port I am allowing, eg http. This seems to significantly weaken
our defense in depth approach. Previously our internal router ACLs would
not have allowed any traffic from the Internet to pass through to internal
servers at all (excluding returning packets to proxies we have already
deployed).
Does anyone have any comments? Am I missing something, or is this just
normal setup for a SecuRemote installation?
Ivan Dean
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
