Home page logo
/

basics logo Security Basics mailing list archives

RE: VPN architecture for POCKET PC
From: "Gary Freeman" <Gary.Freeman () rci rogers com>
Date: Wed, 1 Dec 2004 13:50:18 -0500

1.   is there a way to limit users outside , and not to allow
any tcp 50 and udp 500 "my client vpn is a pocket pc"

That all depends on the addresses that the users will be connecting
from.  If the PPC users are using an address space that you manage to
connect to the Internet then, yes, you can limit the firewall to only
allow that address range.

2.  why do you specify 50 and 500 udp

I was making a wild guess that you would be using VPN through standard
IPSEC. IPSEC requires ports to be opened on the firewall to allow
incoming IPSEC traffic.  Generally, the IPSEC protocol suite is made up
of ESP, Encapsulating Security Payload, known as Protocol 50 (not
TCP-50, TCP is protocol 6) and AH, IP Authentication Header, known as
Protocol 51. Both of these protocols work at the transport layer.  Once
the VPN peers have negotiated and selected an algorithm for encrypting
the tunnel (known as Phase 1), they then have to negotiate the level of
encryption for the payload.  This is known as Phase 2, or ISAKMP,
Internet Security Association and Key Management Protocol.  ISAKMP is
UDP 500.

There are many variations of the IPSEC iteration including L2TP, PPTP,
GRE, SSL, TLS, ad nauseam. To learn more about the IP suite of protocols
go to http://www.networksorcery.com/enp/protocol/isakmp.htm

3.  could you please explain for me this point you have wrote:
Users connecting can get a local address from a routable
address pool within your DMZ

Generally, when you connect across the internet with ESP from a client
to a VPN device you establish phase 1 with your public Internet address.
Phase 2 is where Security Associations (SAs) and private IP addressing
is assigned.  Your VPN device will give a VPN client a address and
routing table that can be used to connect to the private LAN.  This is
the DHCP pool that you must assign to your VPN device.  In your case it
should be an address space that isn't being used in your network because
it's sitting in the DMZ

 VPN Client
     |
     |
  INTERNET
     |
     | - uses public IP
     |
 VPN DEVICE
     |
     | - uses DMZ IP (read RFC1918)
     |
  FIREWALL
     |
     | - Gets NAT'd to private IP (read RFC1918)
     |
 PRIVATE LAN

Here's a good link to get you started:
http://vpn.shmoo.com/

Just Google VPN+DMZ+Firewall and see what you come up with.

Cheers,

Gary Freeman
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************


-----Original Message-----
From: hassan hani [mailto:amni___ () hotmail com] 
Sent: Wednesday, December 01, 2004 1:03 PM
To: Gary Freeman
Subject: RE: VPN architecture for POCKET PC

Hi Gary

thanks you for you answer,
i find your answer is very intersting

i have some questions:

1.   is there a way to limit users outside , and not to allow any tcp 50
and 
udp 500
"my client vpn is a pocket pc"

2.  why do you specify 50 and 500 udp

3.  coul you please explain for me this point you have wrote:

Users connecting can get a local address from a routable address pool
within your DMZ


4.do you have a concrete document or documentation with examples of
maerial 
and software of vpn in a such architecture


thanks you very much






From: "Gary Freeman" <Gary.Freeman () rci rogers com>
To: "hassan hani" <amni___ () hotmail com>, 
<security-basics () securityfocus com>
Subject: RE: VPN architecture for POCKET PC
Date: Wed, 1 Dec 2004 10:29:35 -0500

Hi Hassan,

I would place the VPN concentrator into the presentment DMZ and only
allow access to the VPN device from ANY using Protocol 50 and UDP 500.
Users connecting can get a local address from a routable address pool
within your DMZ and then have the VPN assign a routing table to allow
them to only access addresses that are on your LAN via the inside
interface on the presentment firewall.  The second firewall, facing
your
LAN can then permit only the VPN pool addresses in and NAT them to
services on the inside.

Gary Freeman
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************


-----Original Message-----
From: hassan hani [mailto:amni___ () hotmail com]
Sent: Tuesday, November 30, 2004 1:37 PM
To: security-basics () securityfocus com
Subject: VPN architecture for POCKET PC


we have tHIS ARCHITECTURE in our network


LAN -------------FW1 ----------FW2------------Internet
                               |
                               |
                              dMZ



we want to implement a vpn for a usage only between a server in the LAN
and
the Pocket PC .

the pocket PC sould be connected to GPRS .

my question is:

where the VPN Gateway should be placed in the architecture above to
permit
security?

how to be sure that there will be no intrusion?





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]