Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
1
Replies

Traffic on vulnerable ports from Vendor to intranet

jimmyjoseph
Level 1
Level 1

‎03-28-2003 08:04 AM - edited ‎03-09-2019 02:41 AM

Hi,

I have a corporate network protected from Internet through a Pix firewall. The corporate network is accessed by vendors who connect via IPsec VPNs on to the extranet arm of the firewall . Specific application layer ports are opened for traffic from required partner site addresses to the servers on the intanet.

Now there is a requiremnet to allowaccess from a new partner for a pilot project. We are not sure about the security of this partner network and we may not be able to audit it . So we neeed to allow access from this new partner through an IPsec VPN to the extranet arm of the firewall and then allow access to specific machines from the partner network to machines on the intranet on required application layer ports.

Now how do we ensure the secuirty of this architecture. I mean.. is it just trusting the partner and their network or is there any other way to further enhance the secuirty of the architecture. The partner might have machines with Public IP addresses (but they say that this pilot network is isolated from their interent and to make matter worse the partner is an ISP) coming into our network. Does this degrade secuirty by any means?

Is it a good solution to NAT the public address to private address space when they enter to our network through the VPN router? I mean will help in enhancing the secuirty by any means?

Is there any other suggestion? appreciate every one help in this matter..

regards,

jj

Labels:
0 Helpful
1 Reply 1

hadbou
Level 5
Level 5

‎04-03-2003 01:17 PM

A layered approach would be the best solution, whether you trust the network or not. You have a PIX and have access list for these networks. I am guessing you would have some sort of authentication scheme for the users coming from this partners network. Since its a VPN network I don't think IDS can be of much help, My guess is you may have to just go on trust on this one.

NAT of course would add secuirty if the user is unknown to you, in you case I don't think it would help as the user partner will be accessing parts of your network anyway.

0 Helpful
Customers Also Viewed These Support Documents