I have deployed a number of SOHO 91 routers as VPN endpoints / firewalls for our remote users on DSL and Cable modems. The SOHO 91 establishes a VPN tunnel to a 3000 concentrator at our corporate office and the traffic is then filtered by a PIX 515 before entering the internal LAN. This has worked well but many users are now deploying wireless accesspoints at home and are leaving them wide open with no security at all. My concern now is that with the insecure wireless network at a remote users house my corporate network is at a great risk. Does anyone have suggestions as to how I can secure this?
Not sure if the SOHO 91 supports it but XAUTH is a good cure for this type of problem. XUATH prompts for network credentials whenever network resources are requested. If somebody's tennage kid is on the wireless and tries to get to something on the network though the VPN they get prompted for credentials which I hope they don't have but you know kids these days. Here is a link for XAUTH. It may not be exactly what you are looking for but a good search on XAUTH should turn up something.
First, could you send me details on how you set up the SOHO 91s? I am trying to do the same thing, but cannot get it to work.
In answer to your question, we have considered this same issue. We plan to require home users to run the VPN client on the PC they use. In conjunction with the VPN client, we are looking at Zone Alarm's Integrity Server, Sygate Secure Enterprise, and Absolute Firewall. At least the Zone Alarm product inegrates with the 3000 concentrator, requiring the end point to be running the desktop firewall software with the proper settings. It can also require the end point to updated virus protection as well.
I ended up going away from the vpn endpoint idea because the pix was unable to authenticate most traffic once the tunnel was established. It will only allow me to authenticate http, telnet, and maybe a couple of others but not netbios traffic which is my main concern. I ended up using the SOHO's with the firewall feature set to protect the home network and using the vpn client on the pc. I also filter ipsec traffic at the SOHO to allow only the company provided laptop to establish a tunnel. As far as my issue with wireless connections, I took away the users rights to configure a wireless connection on their laptop and require that they use wep in order for our pc techs to configure it for them.
There are obviously still holes but it is better than nothing. Let me know if you still want to see my configs.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...