Our internet conenction has a PIX 520 and a VPN 3015 in parallel. Our unix boys are asking for remote access to their boxes in the DMZ and inside. My preferred method to do this is via the 3015 but they don't want to put the clients on their machines at home. They are saying all they want is ssh access, so why don't I open a port on the PIX, to the machines that they want. They don't have static IP's from their providers, so I would have to open ssh from any to their machines. I know a little about ssh, and I am opposing this. Do all you experts out there agree, and if so how do I make my case to force them to use the 3015? Or do you advise to open ssh? Thanks, -farhad
You should convey to them that since they don't have static ips, you pretty much have to leave ssh access open to the DMZ, and inside network. From a security standpoint, this is not advisable. Does your company have a policy against allowing this sort of access? Someone here is going to have to make a compromise. Either you, by opening up your firewall, or them by installing the vpn client. I see that the company you work for does research on the medical impact of genes and gentic variations. I would think that in order to keep the companies research, and results confidential, you'd want to provide the best security posture that you could. VPN should be only way access is permited into your network.
SSH only today, NFS, Telnet, and FTP tomorrow! I'd say from a security point of view, it is ALWAYS a bad idea to open up ports on firewalls, particularly those, like SSH, that potentially can allow total root access and control of systems.
Also, if you did open that port up, how would you (easily) monitor who made connections and when, etc? At least on the 3015 there's a fairly robust accounting methodology, especially with ACS.
SSH vulnerabilities abound. Those unix hackers out there are especially adept!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...