Topic: Need Assistance with Network Security/Design

[imcintyre]

Sorry not an SME problem but I thought I'd try.

At work, I have inherited a working network that functions ok. A recent upgrade to phone system has our supplier asking for VPN access through our router so he can service/troubleshoot his system. This is easy for me to do.

What I need help with is how to permit him to see only his device. I don't want him poking around.

When he logs on he will be assigned a permanent local address. His device will need to have a permanent address I believe but that is not assigned yet. It is a small company but I don't want to walk around to the servers and desktops to fool around with their firewalls. I also don't want to slow down our network very much. I might also like to be able to see his device from my pc (just because).

I read the manual for the router and I think you can filter based on outside ip address but I think the tech travels and will not always be able to be vpn'ing from the same fixed address.

A sketch of my network is below. Thanks in advance for suggestions.

      modem
          |
  Netopia Router
          |
     Switches
    |            |     
 Phone         Various other servers/desktops etc
company
device

[arne]

My point of view:

This can per definition not be done stright forward as described in the question by replacing the Netopia router with a SME gateway.

If you allow an pptp VPN logon to the SME server there will not be any "mechanism" to controll which lan resources that can be accessed. (As far as I can remember at the present.) So this should not be an option.

If you on the other side just forwarded some port or encrypted something to the ip telephony box as the end point, this traffic could pass secure trough the sme gateway, but there would not be any way to control how the ip telephony box is used as a platform for further access to your lan. So this also will not work.

The third option is to replace your standard sme 2 port firewall with a modified 3 port sme gateway where the third port is sat up as a safe zone. Tecnically it can be done, but the solution is "not approved" by this community so this is also not an option. (I have used this option myself for a while, and it worked well.)

The forth option, that I think would be the most usable one is to add a SME gateway after the Netopia router. This will give this arrangement:

modem/router--dmz with iptelephony box--sme gateway--LAN safe zone.

Doing it this way will require that the iptelephony box can do the encryption or vpn thing itself. This will give the LAN safew zone a doble natted connection, but it will work. (Forwarding ports into the LAn zone if required can be a bit "clumsy")

Hopefully there is some other as well that has some ideas ..

[arne]

By the way, a bether performing option might be to replace the netopia router with a Smoothwall installation.

http://www.smoothwall.org/

modem--smoothwall--dmz with servers including iptelephony things---sme gateway--Secure LAN ZONE.

This will give a very secure all free software slution.

Using the Smotthwall as the VPN access point should give access to the DMZ zone only.

In general, I believe that Linux routers does the iptelephony routing very well.

Actually I believe this solution based on Smootwall and SME server should meet all requirements in the original question (??!!)

[imcintyre]

Arne;

Thx for your interest and suggestions. The people who are really responsible don't see this as an issue so for now I'll review my firewall.

Ian

[idp_qbn]

One of the advantages of arne's suggestion is that Smoothwall and it's distant relative IPCOP (functionally equvalent systems) have addons that cache Microsoft updates - this means that when one of the PCs on the LAN has updated, the update is cached locally for the others, saving bandwidth and time. MS Updates are generally not cached, becasue the updates come from the next available server, a different one every time.

The other advantage is the DMZ option - as arne suggested, that is the place where the telephony system should be. That way, outsiders have no access to the LAN. The only traffic they can monitor is the DMZ traffic.

And believe me, if you let them on your network to support the telephony system, they will at some stage try monitoring the LAN traffic, even if just to diagnose a problem with their own system.....but that's your data stream they are watching.

Cheers

Ian

[imcintyre]

Arne/idp_qbn

Just a follow up question, what kind of machine would be required to run smoothwall. I have no familiarity with it. It's an office of about 30 people with email/website hosted outside. So not very heavy traffic.

Ian

[idp_qbn]

Smoothwall/IPCop?
Something about 600 MHz, 256 Mb RAM, 20Gb HDD, 2 Network cards.
Of course, anything up from this always helps. For 30 users, 512 Mb RAM would be better. And faster Processor.

I have a 1.6 GHz P4, 512 Mb RAM and 40 Gb HDD but it mostly just idles along since I only have a home network. Still, that's the lowest spec PC I could find to do the job.

You can save your config on a floppy/USB and reload from scratch in about half-an-hour in the event of a disaster.
In fact, if I remember correctly, I have replaced a network card and just had to use the "setup" program from the console to recognise the new card and away it went.

Cheers

Ian