Traffic on vulnerable ports from Vendor to intranet
I have a corporate network protected from Internet through a Pix firewall. The corporate network is accessed by vendors who connect via IPsec VPNs on to the extranet arm of the firewall . Specific application layer ports are opened for traffic from required partner site addresses to the servers on the intanet.
Now there is a requiremnet to allowaccess from a new partner for a pilot project. We are not sure about the security of this partner network and we may not be able to audit it . So we neeed to allow access from this new partner through an IPsec VPN to the extranet arm of the firewall and then allow access to specific machines from the partner network to machines on the intranet on required application layer ports.
Now how do we ensure the secuirty of this architecture. I mean.. is it just trusting the partner and their network or is there any other way to further enhance the secuirty of the architecture. The partner might have machines with Public IP addresses (but they say that this pilot network is isolated from their interent and to make matter worse the partner is an ISP) coming into our network. Does this degrade secuirty by any means?
Is it a good solution to NAT the public address to private address space when they enter to our network through the VPN router? I mean will help in enhancing the secuirty by any means?
Is there any other suggestion? appreciate every one help in this matter..
Re: Traffic on vulnerable ports from Vendor to intranet
A layered approach would be the best solution, whether you trust the network or not. You have a PIX and have access list for these networks. I am guessing you would have some sort of authentication scheme for the users coming from this partners network. Since its a VPN network I don't think IDS can be of much help, My guess is you may have to just go on trust on this one.
NAT of course would add secuirty if the user is unknown to you, in you case I don't think it would help as the user partner will be accessing parts of your network anyway.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...