The office today:
Small NT 4 network (two NT 4 servers and fifteen Windows 2000 Workstations). Internet connection via ADSL: Nokia ADSL modem- Netgear RT314-LAN. One public IP-address obtained from ISP via DHCP. LAN Workstations and Servers getting IP-addresses from the Netgear Router via DHCP (192.168.255.0). The RAS of the BDC is configured as VPN-server (Point to Point Tunnelling Protocol, PPP) allowing remote users to log-on to the Windows Domain using MS-CHAP+ RSA encryption. The Netgear Router has port forwarding configured to forward all PPP-traffic to the BDC. Apart from “dial-in” VPN-connections some of the LAN Workstations connect to customer networks using VPN-clients such as Watchguard’s Mobile User VPN. So, VPN connections are established both ways. The security of the above leaves much to wish but the best part is definitely that IT WORKS.
The office tomorrow, using PIX 501:
We will, for the time being, stick to our NT 4 servers. Windows 2003 will, of course, be implemented in the near future. To increase networking security I decided to invest in a firewall. As always, I go for the best. I went for a Cisco Pix 501 Firewall (FOS 6.3(3) + PDM 3.0(1) (3DES-AES, 10 VPNs, 50 connections). There was only one thing about it. I knew “nothing” about firewalls and networking security strategies. I had, of course, read some books on the subject but… To summarize: the more I dig into the PIX 501 world of security solutions (thanks Cisco for a thorough documentation), the more hesitant/uncertain I get about which way I should go for e.g. implementing e.g. VPN into our day-to-day business. Right now, I’m sitting at my home computer behind an ADSL-modem, PIX 501 firewall and one Windows 2000 Pro PC. No matter how I try I can’t connect to the office using the same shortcut for office VPN-connection as I used to. I’m trying to learn at home instead of annoying my colleagues at work by implementing the PIX without sufficient knowledge about the firewall and its capabilities.
Which way to go…?
Provided the PIX 501 is replacing the Netgear Router in the above configuration:
I like it clean and simple so: Which way is the best/simplest to remotely (ADSL) connecting to the office? (I) Should the PIX act as VPN-server or should it just let the remote VPN-traffic through to the BDC? How can I log on to the Windows Domain? Will the PIX take care of the authentication or will it relay this to the NT 4 BDC? Cisco Secure ACS?
(II) Should I use Easy VPN for it or..
(III) Should I use the Windows 2000 VPN-solution…?
(IV) I have a web-server behind the PIX. It will never be a public web-server but still I would like to enable certain persons/customers access to parts of it. I was thinking of using port redirection for letting port 80 traffic through the PIX but can you recommend a solution for user authentication.
To summarize:
The above is in now way to be considered as a request for detailed click-by-click-detailed- how-to-do-solutions. I would appreciate, though, if some experienced PIX user cold push me in a suitable direction as regards the techniques presented above.
Looking forward to take part of your ideas
Cheers,
Staffan Carlsson
Small NT 4 network (two NT 4 servers and fifteen Windows 2000 Workstations). Internet connection via ADSL: Nokia ADSL modem- Netgear RT314-LAN. One public IP-address obtained from ISP via DHCP. LAN Workstations and Servers getting IP-addresses from the Netgear Router via DHCP (192.168.255.0). The RAS of the BDC is configured as VPN-server (Point to Point Tunnelling Protocol, PPP) allowing remote users to log-on to the Windows Domain using MS-CHAP+ RSA encryption. The Netgear Router has port forwarding configured to forward all PPP-traffic to the BDC. Apart from “dial-in” VPN-connections some of the LAN Workstations connect to customer networks using VPN-clients such as Watchguard’s Mobile User VPN. So, VPN connections are established both ways. The security of the above leaves much to wish but the best part is definitely that IT WORKS.
The office tomorrow, using PIX 501:
We will, for the time being, stick to our NT 4 servers. Windows 2003 will, of course, be implemented in the near future. To increase networking security I decided to invest in a firewall. As always, I go for the best. I went for a Cisco Pix 501 Firewall (FOS 6.3(3) + PDM 3.0(1) (3DES-AES, 10 VPNs, 50 connections). There was only one thing about it. I knew “nothing” about firewalls and networking security strategies. I had, of course, read some books on the subject but… To summarize: the more I dig into the PIX 501 world of security solutions (thanks Cisco for a thorough documentation), the more hesitant/uncertain I get about which way I should go for e.g. implementing e.g. VPN into our day-to-day business. Right now, I’m sitting at my home computer behind an ADSL-modem, PIX 501 firewall and one Windows 2000 Pro PC. No matter how I try I can’t connect to the office using the same shortcut for office VPN-connection as I used to. I’m trying to learn at home instead of annoying my colleagues at work by implementing the PIX without sufficient knowledge about the firewall and its capabilities.
Which way to go…?
Provided the PIX 501 is replacing the Netgear Router in the above configuration:
I like it clean and simple so: Which way is the best/simplest to remotely (ADSL) connecting to the office? (I) Should the PIX act as VPN-server or should it just let the remote VPN-traffic through to the BDC? How can I log on to the Windows Domain? Will the PIX take care of the authentication or will it relay this to the NT 4 BDC? Cisco Secure ACS?
(II) Should I use Easy VPN for it or..
(III) Should I use the Windows 2000 VPN-solution…?
(IV) I have a web-server behind the PIX. It will never be a public web-server but still I would like to enable certain persons/customers access to parts of it. I was thinking of using port redirection for letting port 80 traffic through the PIX but can you recommend a solution for user authentication.
To summarize:
The above is in now way to be considered as a request for detailed click-by-click-detailed- how-to-do-solutions. I would appreciate, though, if some experienced PIX user cold push me in a suitable direction as regards the techniques presented above.
Looking forward to take part of your ideas
Cheers,
Staffan Carlsson