[Leaf-user] Completely Routable Subnet
Hi all, I am not sure really how to describe what I am after, but I'll try to sketch it. In a situation in which a network needs to have broad compatibility with multi- vendor VPN solutions (from clients sites to home office, and vice versa), it appears that fully routable, legal IP addresses will be required. One client in particular declares that NAT will not work with its "aggressive mode" system, and cannot be made to. The systems on the local subnet need to be able to communicate as a full workgroup, sharing files and printers. The VPN connections need to be intiated from both external locations coming in, and from internal hosts going out. As I understand it, systems in a DMZ in Eiger/Dachstein cannot be made to communicate with each other without routing tweaks --- so I'm assuming this won't do the trick. Here are my questions: 1. Is it still true that some systems absolutely cannot be made to work with NAT? 2. Anyone care to comment on the security and adminstration issues with managing a network of routable addresses from behind a LEAF box? 3. Are there any architectural "tricks" that can be used to create VPN gateways that allow full access into a private network from only one trusted host outside --- and is this a good idea? 4. Are there example configs around where a LEAF distro has been setup to do such things? Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Completely Routable Subnet
On Wed, 9 Jan 2002 [EMAIL PROTECTED] wrote: > Hi all, > > I am not sure really how to describe what I am after, but I'll try to sketch > it. > > In a situation in which a network needs to have broad compatibility with multi- > vendor VPN solutions (from clients sites to home office, and vice versa), it > appears that fully routable, legal IP addresses will be required. One client > in particular declares that NAT will not work with its "aggressive mode" > system, and cannot be made to. > > The systems on the local subnet need to be able to communicate as a full > workgroup, sharing files and printers. The VPN connections need to be intiated > from both external locations coming in, and from internal hosts going out. As > I understand it, systems in a DMZ in Eiger/Dachstein cannot be made to > communicate with each other without routing tweaks --- so I'm assuming this > won't do the trick. > > Here are my questions: > > 1. Is it still true that some systems absolutely cannot be made to work with > NAT? No, but they can make it difficult enough that no-one will want to reverse-engineer their protocol well enough to make it work. Simple protocols just need to be port-forwarded. More difficult ones need helper modules to watch the outgoing protocol and build on-the-fly port forwarding rules for the return connections. If there are no programmers around with the appropriate incentive, such modules won't be written. Checkpoint's FWZ won't work because it is proprietary, encrypted, and if anyone could reverse engineer the protcol, it wouldn't be worth much, would it? The frustrating thing is that Checkpoint ALSO supports IPSec, but your other endpoints may refuse to use it. > 2. Anyone care to comment on the security and adminstration issues with > managing a network of routable addresses from behind a LEAF box? The firewall rules have to be constructed differently than usual in the absence of masquerading. I think Dachstein has a "ROUTER" option, but I don't know how well the firewall works in that mode. > 3. Are there any architectural "tricks" that can be used to create VPN > gateways that allow full access into a private network from only one trusted > host outside --- and is this a good idea? I am not sure what you mean by this. You could mean you are interested in VPN options or in firewall options... but I think it is implicit in VPN technology that the other end be identifiable, and access be controllable. > 4. Are there example configs around where a LEAF distro has been setup to do > such things? Don't know. --- Jeff NewmillerThe . . Go Live... DCN:<[EMAIL PROTECTED]>Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Completely Routable Subnet
> Here are my questions: > > 1. Is it still true that some systems absolutely cannot be made to work with > NAT? Absolutely. The truely paranoid do cryptographic authentication of the *entire* packet, including the IP address and IP layer checksums. Any tampering with these packets (even a fairly innocuous NAT of the source/destination IP) will invalidate them. > 2. Anyone care to comment on the security and adminstration issues with > managing a network of routable addresses from behind a LEAF box? Your firewall problems are much trickier when using public IP's. Get anything wrong, and you can have inbound ports available to all machines, leaving them open to port-scanning, if nothing else. You might consider blocking pretty much everything but VPN traffic and forcing everyone to use application layer proxies...kind of depends on how secure you need to be, and how comfortable you are crafting firewall scripts. > 3. Are there any architectural "tricks" that can be used to create VPN > gateways that allow full access into a private network from only one trusted > host outside --- and is this a good idea? There are lots of good tricks...kind of depends on what sort of VPN protocol and software you're talking about. You have to decide if any particular network architecture is a good idea for you, but in general, hooking networks together with a VPN is just like hooking the remote users to your local, physical net...your increased security risk depends a lot on who's running the remote system. > 4. Are there example configs around where a LEAF distro has been setup to do > such things? Hmm...not a lot, but if you need to connect a bunch of folks with public IP's, you can use the DMZ scripts (just pretend all your users are on DMZ machines), or the border-router features of the Dachstein scripts (although these haven't seen a lot of testing). Some of the alternate firewall options (ie seawall, rcf, &c) may also have good support for this sort of network...I don't know. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Completely Routable Subnet
On Wed, 9 Jan 2002, Jeff Newmiller wrote: > More difficult ones need helper modules to watch the outgoing protocol and > build on-the-fly port forwarding rules for the return connections. If > there are no programmers around with the appropriate incentive, such > modules won't be written. > > Checkpoint's FWZ won't work because it is proprietary, encrypted, and if > anyone could reverse engineer the protcol, it wouldn't be worth much, > would it? The frustrating thing is that Checkpoint ALSO supports IPSec, > but your other endpoints may refuse to use it. > Supports is a questionable word :-) Cross-platform IPSec usage usually requires dedicating a crypto-map (and hence, an entire physical interfacE) from the other device to the CheckPoint tunnel. I know this is true of Cisco and Nortel VPN gear. -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
