?
Solved

NAT Translation Or VPN ?

Posted on 2004-09-25
12
Medium Priority
?
490 Views
Last Modified: 2010-04-10
Help,
           I work for a small company that has several servers behind a firewall and several clients that access these servers through the firewall using one to one nat translation and access by ip address, the firewall is a sonicwall pro 200 and the clients either come in as telnet sessions or access a citrix server, therefore only the assigned port is allowed for each client (either port 23 or 1545 or whatever), and the client is directed by nat to the server they are assigned to use in the firewall, my questions is this, I need to know if this is a secure way of dealing with clients accessing our network or if we should be looking at a vpn server and client solution, I don,t know anything about VPN and if it is a better solution could you recommend vpn software that is reliable and secure but also easy to setup...


Thanks
Eric

Pick Programmer (Not Network Tech)
0
Comment
Question by:eenderle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 15

Expert Comment

by:scampgb
ID: 12150674
Hi eenderle,

The benefits of VPNs over simply opening ports is that the data can be encrypted.

As you're running Citrix, you can use that to encrypt the traffic anyway - but you can't do that over telnet.

To correctly answer your question, we'll need a bit more information.
The easiest method is what you've already got set up, but if you want a more secure system then VPNs are the way to go.

How to tackle that will depend on your clients.  How many have you got, what do they need to do, what are their technical limitations?

I'll take a look at the Sonicwall 200 specs and see if I can suggest anything.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12150696
I've looked at the specs of the Sonicwall Pro 230 (nearest thing I can find on their website) - http://www.sonicwall.com/products/pro230.html#specs
This says that it can support up to 10 VPN clients iteself.
0
 

Author Comment

by:eenderle
ID: 12150838
Scampgb
            without going into to much detail, currently we have 90+ clients accessing our network, I would say about 75 of those are the telnet users and 15 are citrix users, the telnet clients are employees of cities who have very little or no technical experience but have access to a network technician of varing degrees of experience at their location, the citrix clients are a  little more experienced (not much) and have better more experienced tech support at their location. Also we do have several people who acess systems using the above setup (Ip & Nat) using pcanywhere...



Eric.
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 

Author Comment

by:eenderle
ID: 12150858
Scampgb
          I have looked at the sonicwall setups and there are screens about setting up users and access but am confused about if we should use that or get a server and setup clients, I don,t understand how to setup vpn on a sonicwall becuase then what do you give the client that allows him to access the network, sorry if i am confusing you, but i thought vpn required both a client and a server and with the firewall all i see is hardware.....
0
 
LVL 15

Accepted Solution

by:
scampgb earned 1000 total points
ID: 12150879
Based on what you've said, my feeling is to carry on with the NAT setup.
As you've got so many external users in a variety of systems, you want to make it as easy as possible for them to connect.

I don't know what the system people are telnetting into is, but you should change that from telnet to SSH if possible.
Most unix varieties now support this.

SSH has a secure replacement for telnet.  The data travelling over an SSH session is encrypted.
You can find out more at http://www.openssh.com/
I use "putty" to for remote administration - http://www.chiark.greenend.org.uk/~sgtatham/putty/

In essence, I suggest:
Ensure that encryption is turned on for ICA sessions on your Citrix server
Install and configure SSH on your server(s)
Turn off telnet
Configure your firewall/router to only allow inbound traffic on ports 22 (SSH) and 1494 (ICA)
Ask all of your "telnet" users to move over to using SSH instead

Does that help?
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12150889
eenderle: To answer your Sonicwall question.  You're right, VPNs have a client and a server.
In the case I was mentioning, the Sonicwall would be the server.  I don't know what type(s) of clients it can support, but this could be a piece of hardware or some software on the end-user's PC.

Let me know if you want a further explanation of this.
0
 

Author Comment

by:eenderle
ID: 12150947
Scampgb,
                 I agree that switching to SSH would be better but the system that provides the telnet access is a proprietary operating system (non windows or unix or linux) and only provides the telnet service (no other services are running or available), it however does not have SSH, so that would not be a possibility (that i know of), if you think what we are doing is secure enough, then I will stick with it, I just thought maybe i was missing something that VPN could provide, as for putty, I will check it out, they (the offsite techs) right now use pcanywhere to handle software on certain systems...



Eric.



 
0
 

Author Comment

by:eenderle
ID: 12150957
Scampgb,
                  Just saw that putty was a telnet client, not a remote access program, unable to use since system is not windows, linux, unix ... etc... thanks...
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12150969
The setup you've got at the moment is by no means ideal, but I don't think moving wholesale into using VPNs is practical.  You're going to have problems with the technical setups at all your client sites.

I've not tested it, but you could try setting up an intermediate Linux/unix box.

Users SSH into Linux box, which then telnets to your proprietary box.  The Internet-based traffic would then be encrypted.
It would take some playing about with to make work though!

Another thing you might want to consider is restricting the IPs that users are allowed to connect from.  If you know the IP addresses (or ranges) that your users connect from you could configure a firewall to only accept connections from there.

That's the best I can come up with at the moment....
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12150992
Thanks for the "A".  Glad I could help :-)

Putty is a terminal client - it can do telnet and SSH (and rlogin!)
If you were to move to using SSH to replace telnet, then it would be a useful client.  Not much use otherwise!
0
 

Author Comment

by:eenderle
ID: 12151095
Scampgb
                 We already restrict access by the clients ip addresses, otherwise we would be wide open to the public, we use their ip address and point it to a server and a port and restrict them to that, so i guess were ok for now.... thanks for the help....

Eric.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12151115
Pleasure :-)

Sounds like you've got it well covered!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question