Solved

NAT Translation Or VPN ?

Posted on 2004-09-25
12
470 Views
Last Modified: 2010-04-10
Help,
           I work for a small company that has several servers behind a firewall and several clients that access these servers through the firewall using one to one nat translation and access by ip address, the firewall is a sonicwall pro 200 and the clients either come in as telnet sessions or access a citrix server, therefore only the assigned port is allowed for each client (either port 23 or 1545 or whatever), and the client is directed by nat to the server they are assigned to use in the firewall, my questions is this, I need to know if this is a secure way of dealing with clients accessing our network or if we should be looking at a vpn server and client solution, I don,t know anything about VPN and if it is a better solution could you recommend vpn software that is reliable and secure but also easy to setup...


Thanks
Eric

Pick Programmer (Not Network Tech)
0
Comment
Question by:eenderle
  • 7
  • 5
12 Comments
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Hi eenderle,

The benefits of VPNs over simply opening ports is that the data can be encrypted.

As you're running Citrix, you can use that to encrypt the traffic anyway - but you can't do that over telnet.

To correctly answer your question, we'll need a bit more information.
The easiest method is what you've already got set up, but if you want a more secure system then VPNs are the way to go.

How to tackle that will depend on your clients.  How many have you got, what do they need to do, what are their technical limitations?

I'll take a look at the Sonicwall 200 specs and see if I can suggest anything.
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
I've looked at the specs of the Sonicwall Pro 230 (nearest thing I can find on their website) - http://www.sonicwall.com/products/pro230.html#specs
This says that it can support up to 10 VPN clients iteself.
0
 

Author Comment

by:eenderle
Comment Utility
Scampgb
            without going into to much detail, currently we have 90+ clients accessing our network, I would say about 75 of those are the telnet users and 15 are citrix users, the telnet clients are employees of cities who have very little or no technical experience but have access to a network technician of varing degrees of experience at their location, the citrix clients are a  little more experienced (not much) and have better more experienced tech support at their location. Also we do have several people who acess systems using the above setup (Ip & Nat) using pcanywhere...



Eric.
0
 

Author Comment

by:eenderle
Comment Utility
Scampgb
          I have looked at the sonicwall setups and there are screens about setting up users and access but am confused about if we should use that or get a server and setup clients, I don,t understand how to setup vpn on a sonicwall becuase then what do you give the client that allows him to access the network, sorry if i am confusing you, but i thought vpn required both a client and a server and with the firewall all i see is hardware.....
0
 
LVL 15

Accepted Solution

by:
scampgb earned 250 total points
Comment Utility
Based on what you've said, my feeling is to carry on with the NAT setup.
As you've got so many external users in a variety of systems, you want to make it as easy as possible for them to connect.

I don't know what the system people are telnetting into is, but you should change that from telnet to SSH if possible.
Most unix varieties now support this.

SSH has a secure replacement for telnet.  The data travelling over an SSH session is encrypted.
You can find out more at http://www.openssh.com/
I use "putty" to for remote administration - http://www.chiark.greenend.org.uk/~sgtatham/putty/

In essence, I suggest:
Ensure that encryption is turned on for ICA sessions on your Citrix server
Install and configure SSH on your server(s)
Turn off telnet
Configure your firewall/router to only allow inbound traffic on ports 22 (SSH) and 1494 (ICA)
Ask all of your "telnet" users to move over to using SSH instead

Does that help?
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
eenderle: To answer your Sonicwall question.  You're right, VPNs have a client and a server.
In the case I was mentioning, the Sonicwall would be the server.  I don't know what type(s) of clients it can support, but this could be a piece of hardware or some software on the end-user's PC.

Let me know if you want a further explanation of this.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:eenderle
Comment Utility
Scampgb,
                 I agree that switching to SSH would be better but the system that provides the telnet access is a proprietary operating system (non windows or unix or linux) and only provides the telnet service (no other services are running or available), it however does not have SSH, so that would not be a possibility (that i know of), if you think what we are doing is secure enough, then I will stick with it, I just thought maybe i was missing something that VPN could provide, as for putty, I will check it out, they (the offsite techs) right now use pcanywhere to handle software on certain systems...



Eric.



 
0
 

Author Comment

by:eenderle
Comment Utility
Scampgb,
                  Just saw that putty was a telnet client, not a remote access program, unable to use since system is not windows, linux, unix ... etc... thanks...
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
The setup you've got at the moment is by no means ideal, but I don't think moving wholesale into using VPNs is practical.  You're going to have problems with the technical setups at all your client sites.

I've not tested it, but you could try setting up an intermediate Linux/unix box.

Users SSH into Linux box, which then telnets to your proprietary box.  The Internet-based traffic would then be encrypted.
It would take some playing about with to make work though!

Another thing you might want to consider is restricting the IPs that users are allowed to connect from.  If you know the IP addresses (or ranges) that your users connect from you could configure a firewall to only accept connections from there.

That's the best I can come up with at the moment....
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Thanks for the "A".  Glad I could help :-)

Putty is a terminal client - it can do telnet and SSH (and rlogin!)
If you were to move to using SSH to replace telnet, then it would be a useful client.  Not much use otherwise!
0
 

Author Comment

by:eenderle
Comment Utility
Scampgb
                 We already restrict access by the clients ip addresses, otherwise we would be wide open to the public, we use their ip address and point it to a server and a port and restrict them to that, so i guess were ok for now.... thanks for the help....

Eric.
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Pleasure :-)

Sounds like you've got it well covered!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now