Site-to-site VPN to client, good idea?

Discussion in 'Security Software' started by ac130, Nov 6, 2008.

  1. ac130

    ac130 Guest

    We have a new application we are hosting internally in an As/400 (all other
    servers are Win2k3 servers including DC) and we need to give our clients
    access to it so they can enter/edit data and upload files. The same
    application is also being used internally by our employees. The data involved
    is very sensitive all connections must be encrypted.

    Our first test client, also our biggest, insists on a site-to-site vpn. We
    have a PIX and while I am not that familiar with vpns, we can get a resource
    to create the vpn if we need to, the client has a PIX as well and they will
    handle the configuration on their end.

    I'm very uneasy about creating a persistent vpn connection with another
    organization whose security practices and policies we don't control. We toyed
    with the idea of having them connect via Remote Desktop to one of our
    worstations and invoke the client app from there but uploading and
    downloading data is clunky and slow. I feel we are opening our doors, and
    keeping them open, to people we don't know. Are my fears unfounded? Can we
    create the site-to-site vpn in such a way that it prohibits external users
    from exploring our network? What happens if they have a virus outbreak? What
    other ideas for connecting our clients, can I explore?

    Any thoughts and comments are appreciated. Thank you.
    ac130, Nov 6, 2008
    1. Advertisements

  2. Hi,

    Indeed it is the main problem with Site to Site VPN. This is often done in
    the context of a company with many offices in many countries.
    In that case, the security policy is the same for the company and they can
    control what is done with multiple access control software, logs ,etc...
    In your case, you give a complete access to your LAN to the other company.
    Yes, you open the door, clearly !
    You have 3 solutions:

    --> you make an agreement where you state that they will be monitored, they
    will have to respect your security policy, etc... You can monitor their
    potential fraudulent activities with an IDS for example.. to be sure to
    detect viruses, hacking, etc...
    The main problem with that is the reaction time: You will act after the
    problem happens.... not before.

    --> You restrict their VPN and redirect them to a VLAN or isolated private
    LAN, and enforce an ACL that will only permit them to make file transfer and
    RDP for example.

    --> You don't make a Site-to Site VPN. You allow them to use FTP + RDP +
    others if necessary ( it's better to use sftp or scp...) to get the files.
    but you have to create a server with a ftp server or equivalent and make the
    Port address translation on your PIX.

    The choice is yours. (don't choose the first if possible...)


    Excuse my bad english writing ;-(
    Philippe Gillet [CISSP-CISA-CISM], Nov 6, 2008
    1. Advertisements

  3. ac130

    ac130 Guest


    Thank you for taking the time to answer my questions. Your post validated my
    concerns about creating the site to site vpn to our client. We've actually
    discussed a scenario similar to your second suggestion and we're probably
    going to implement something similar.

    Again thanks for your input and by the way, your English is perfectly fine :)
    ac130, Nov 7, 2008
  4. ac130

    Newell White Guest

    If you terminate the VPN connection in your Pix firewall then access is not
    necessarily wide open.
    You can configure the Pix to restrict the range of IP addresses in your LAN
    that the VPN connection can access.
    I forget the exact details but I learnt this and implemented it when setting
    up 'split-tunnelling' in this context some years ago.

    A search on this term + 'Cisco Pix' should get you some info.
    Newell White, Nov 7, 2008
  5. No problem.

    You are welcome ;)

    Philippe Gillet [CISSP-CISA-CISM], Nov 7, 2008
  6. ac130

    Anteaus Guest

    This is true, though IP controls only limit the access to specific
    computers. They do not, for example, prevent an Administrator logon to your
    server with a leaked or brute-forced password, from an authorised IP address.
    This I feel is one of the limitations of hardware VPNs, they in most cases
    offer no way to prevent unwanted or undesirable remote logons. With such a
    setup you need to be extremely vigilant over weak user-passwords,
    particularly on priveleged accounts, since it takes only one weak password
    out of many to negate the security of your LAN.

    FTP on the other hand allows you to exercise control over what users can and
    cannot do remotely, in a way that SMB (file sharing) logons do not. Although
    less user-friendly than SMB sharing, it allows admins to sleep more easily.
    Anteaus, Nov 9, 2008
  7. ac130

    S. Pidgorny Guest

    Incorrect. One can apply firewall rules to the VPN traffic and limit
    incoming connections within the tunnel to those actually required for
    particular partnership. In case when location of the connecting
    workstation in the partner organisation cannot be predicted, site to
    site VPN is appropriate.
    S. Pidgorny, Nov 10, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.