From: Jussi Torhonen (jt_at_ssh.com)
Date: Fri Sep 06 2002 - 13:40:54 CEST
John A. Sullivan III wrote:
> We have been very successful with Sentinel and completely ignored the
> SSH Free S/WAn documentation. As Jussi suggests, we just read the x509
> docs and the Sentinel docs and sewed them together. Works great (except
> for the single VPN connection using a virtual IP :-( ) - John
That's because the current Virtual adapter implementation of SSH
Sentinel supports one single virtual adapter at the time. We know that
this may be problem for some users, but only for the minority of them.
Let's see what the future has to offer.
Having more than one active simultaneous VPN tunnels is a security risk
for sure. And if you allow clear text internet traffic at the same time,
that's not recommended at all. In next SSH Sentinel release you can open
a VPN tunnel over a VPN gateway and deny all other traffic at the same
time. When the tunnel is closed, your normal clear text internet traffic
continues.
BTW, anyone here deployed that packet filtering firewall included in SSH
Sentinel? Sure it's harder to deploy than ZoneAlarm or some other
dedicated personal firewall, but it's pretty good one when configured
properly. Some ruleset to start with could be to add the following under
Post-IPSec Filters:
---------------------------------------------------------------------
Filter Direct. Proto Local_port Remote SYN Audit
---------------------------------------------------------------------
REJECT inbound tcp auth any no no
DROP inbound tcp+udp any_low any no yes
ALLOW inbound tcp any_high port:ftp-data no no
DROP inbound tcp any_high any yes yes
---------------------------------------------------------------------
So, we reject incoming auth/ident requests, drop all incoming packets to
tcp+udp low ports, allow ftp-data channel for active mode ftp
connections and drop all tcp connection requests to high ports. That is
a good and easy start.
If you don't want to allow active mode ftp, just don't add that ALLOW
rule there. Or disable/enable the rule as required.
If the rule set was set under Pre-IPSec Filters, it checks packets from
the NIC adapter only. If the ruleset exists in Post-IPSec Filters, it
triggers to VPN tunneled traffic as well (for example to deny hacking
your home computer by a network admin of the target private LAN ;-)
Sure you can mix both packet filter rule sets. It's the rule evaluation
order that matters. You can for example drop lpd port for NIC but allow
lpd port usage for VPN tunnel to get print jobs from a print server in
target private LAN to your remote access client.
Regards,
Jussi
SSH Communications Security Corp, http://www.ssh.com
SSH Sentinel VPN Client, http://www.ipsec.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 05:20:00 CEST