Solved

Tunelling through a Firewall

Posted on 2000-04-07
8
316 Views
Last Modified: 2010-04-11
Hello experts,

I REALLY need help with tunnelling through a firewall.

The setup is as follows:
I have a server within the company lan. Outside in the big ugly real world i have some clients. Now, i need to establish and maintain a VPN (PPTP protocol) from the server to each client. The server knows the IP address of each client.

This connection might pass through a proxy and might pass through a firewall. However i do not want to make any "holes" through these devices. Can this be done. Perhaps by tunelling through port 80.

Regards Søren
0
Comment
Question by:svj
8 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 2694098
Sounds interesting to me. But I have never had to do it this way.
You may need dedicated hardware.
Modem and RAS is easier for Local stuff.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2694229
What kind of firewall? The preferred solution from a security standpoint is to have the firewall or a VPN router outside of the firewall establish the connection. Any method that places the local endpoint of the VPN inside of the firewall requires opening an inbound hole through the firewall... Not good! A Cisco pix can do IPSec VPNs and Checkpoint can do their proprietary VPN directly and safely. Placing a properly configured VPN router outside of the fire wall is also safe as only "known good" connections will be coming from the "inside" interface of the router and they can be permittted to pass unhindered through the firewall.
0
 

Author Comment

by:svj
ID: 2699745
The server within the company LAN is actually a piece of dedicated hardware. This excludes the use of RAS.

I do not know which kind of firewall i'm dealing with. The project i'm working on is to be deployed in any company. My advatages is, maybe, that the pptp connection through the firewall is outbound.

Up until now, i've thougt that placing the server behind the firewall was my key to establishing connections to my clients through the firewall. I know the clients IP addresses, which should make me able to establish the connection. Once the connection is established, it should be kept alive in order to let the clients signal directly to the server (max. latency 3 seconds under normal conditions).

However this is probably what a hacker would do. That is, sending a small program via email, which establishes connection to some "mother" outside. This leads me to beleive that "up to date" firewalls would kill such an outbound connection.
0
 

Author Comment

by:svj
ID: 2707158
Adjusted points from 200 to 300
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Expert Comment

by:Vincent_Cheng
ID: 2713224
What you need is client-based VPN between your router/firewall and the clients coming in from Internet. For example,  if you are using CheckPoint Firewall-1/VPN-1 firewall, then you need to install SecureRemote on the client PC's. After configuring the both ends, you basically establish VPN's between the firewall and the clients using IKE/IPSEC. For more detail, please refer to http://support.checkpoint.com/service/publisher.asp?id=55.0.4222079.2607206. Cisco PIX firewall has same feature built in. If you have Cisco router with IPSEC/3DES/VPN feature such as 7100 series for your company Internet connection, you can establish client-based VPN between the router and the clinets. For detail, visit Cisco website at http://www.cisco.com.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2713828
Seems like  I missed an email notification... or two. The proposed answer triggered one but not your last two comments...

If the server inside the firewall is going to always be the one to initiate the connection then there is little risk of subversion of the connection, nor do you have to "tunnel through the firewall". Generally speaking, inside clients can open connections to the outside as desired and on what ever outbound port is wanted. There are situations where outbound ports are restricted for administrative reasons, say to block ICQ or FTP, etc.

Reading between the lines, it sounds like you are going to be creating some unique application and the appropriate client SW that talks to the appplication. Without knowing more about the service that will run over the PTP link it's hard to say whether you could use the port 80 (or better yet 443). Some proxies & firewalls expect any use of those ports to actually look like web traffic and might reject or otherwise have problems passing something that doesn't look like a web stream. Now if, the data stream can follow the same protocol as an SSL encrypted web stream, then it should work just fine.
0
 

Author Comment

by:svj
ID: 2768205
Sorry for the long silence, but i've attended a conference in New Orleans.

My client is also dedicated hardware. That is, it is not possible to run some out-of-the-box firewall/client VPN. The VPN must be set up between the client and a server residing behind the Firewall.

I'm sorry for the bit by bit information, but my boss would chop of my fingers if i revealed to much about the project.

jlevie's suggestion about SSL might just work. I have to look into that.
0
 
LVL 2

Accepted Solution

by:
tzanger earned 300 total points
ID: 2826200
Try PoPToP from Moreton Bay.  (www.moretonbay.com)

I use it here and it works very well.  Works seamlessly with Windows because it uses Microsoft's own VPN client.  I have the PoPToP software installed on the firewall along with pppd.  It'll give the autenticated user an IP on the internal network and proxyarp for them.

It's not as secure as something like Linux S/WAN (the PoPToP site explains this, it is a problem with Microsoft's VPN implementation, not PoPToP), but it is "good enough" for our travelling sales critters and I believe if you're willing to sacrifice the "plug and go", it is fully securable under Windows.  I use the S/WAN implementation for our office-to-office links because those connections are more or less permanent VPN connections and I don't need to bother with Microsoft.

At any rate, PoPToP will allow authenticated outside users to gain access to the internal network (Windows/Samba shares, access to printers, whatever you allow really) in an encrypted and secure fashion from anywhere in the world.  PoPToP also provides some decent logs.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now