Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 499
  • Last Modified:

NAT Translation Or VPN ?

Help,
           I work for a small company that has several servers behind a firewall and several clients that access these servers through the firewall using one to one nat translation and access by ip address, the firewall is a sonicwall pro 200 and the clients either come in as telnet sessions or access a citrix server, therefore only the assigned port is allowed for each client (either port 23 or 1545 or whatever), and the client is directed by nat to the server they are assigned to use in the firewall, my questions is this, I need to know if this is a secure way of dealing with clients accessing our network or if we should be looking at a vpn server and client solution, I don,t know anything about VPN and if it is a better solution could you recommend vpn software that is reliable and secure but also easy to setup...


Thanks
Eric

Pick Programmer (Not Network Tech)
0
eenderle
Asked:
eenderle
  • 7
  • 5
1 Solution
 
scampgbCommented:
Hi eenderle,

The benefits of VPNs over simply opening ports is that the data can be encrypted.

As you're running Citrix, you can use that to encrypt the traffic anyway - but you can't do that over telnet.

To correctly answer your question, we'll need a bit more information.
The easiest method is what you've already got set up, but if you want a more secure system then VPNs are the way to go.

How to tackle that will depend on your clients.  How many have you got, what do they need to do, what are their technical limitations?

I'll take a look at the Sonicwall 200 specs and see if I can suggest anything.
0
 
scampgbCommented:
I've looked at the specs of the Sonicwall Pro 230 (nearest thing I can find on their website) - http://www.sonicwall.com/products/pro230.html#specs
This says that it can support up to 10 VPN clients iteself.
0
 
eenderleAuthor Commented:
Scampgb
            without going into to much detail, currently we have 90+ clients accessing our network, I would say about 75 of those are the telnet users and 15 are citrix users, the telnet clients are employees of cities who have very little or no technical experience but have access to a network technician of varing degrees of experience at their location, the citrix clients are a  little more experienced (not much) and have better more experienced tech support at their location. Also we do have several people who acess systems using the above setup (Ip & Nat) using pcanywhere...



Eric.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
eenderleAuthor Commented:
Scampgb
          I have looked at the sonicwall setups and there are screens about setting up users and access but am confused about if we should use that or get a server and setup clients, I don,t understand how to setup vpn on a sonicwall becuase then what do you give the client that allows him to access the network, sorry if i am confusing you, but i thought vpn required both a client and a server and with the firewall all i see is hardware.....
0
 
scampgbCommented:
Based on what you've said, my feeling is to carry on with the NAT setup.
As you've got so many external users in a variety of systems, you want to make it as easy as possible for them to connect.

I don't know what the system people are telnetting into is, but you should change that from telnet to SSH if possible.
Most unix varieties now support this.

SSH has a secure replacement for telnet.  The data travelling over an SSH session is encrypted.
You can find out more at http://www.openssh.com/
I use "putty" to for remote administration - http://www.chiark.greenend.org.uk/~sgtatham/putty/

In essence, I suggest:
Ensure that encryption is turned on for ICA sessions on your Citrix server
Install and configure SSH on your server(s)
Turn off telnet
Configure your firewall/router to only allow inbound traffic on ports 22 (SSH) and 1494 (ICA)
Ask all of your "telnet" users to move over to using SSH instead

Does that help?
0
 
scampgbCommented:
eenderle: To answer your Sonicwall question.  You're right, VPNs have a client and a server.
In the case I was mentioning, the Sonicwall would be the server.  I don't know what type(s) of clients it can support, but this could be a piece of hardware or some software on the end-user's PC.

Let me know if you want a further explanation of this.
0
 
eenderleAuthor Commented:
Scampgb,
                 I agree that switching to SSH would be better but the system that provides the telnet access is a proprietary operating system (non windows or unix or linux) and only provides the telnet service (no other services are running or available), it however does not have SSH, so that would not be a possibility (that i know of), if you think what we are doing is secure enough, then I will stick with it, I just thought maybe i was missing something that VPN could provide, as for putty, I will check it out, they (the offsite techs) right now use pcanywhere to handle software on certain systems...



Eric.



 
0
 
eenderleAuthor Commented:
Scampgb,
                  Just saw that putty was a telnet client, not a remote access program, unable to use since system is not windows, linux, unix ... etc... thanks...
0
 
scampgbCommented:
The setup you've got at the moment is by no means ideal, but I don't think moving wholesale into using VPNs is practical.  You're going to have problems with the technical setups at all your client sites.

I've not tested it, but you could try setting up an intermediate Linux/unix box.

Users SSH into Linux box, which then telnets to your proprietary box.  The Internet-based traffic would then be encrypted.
It would take some playing about with to make work though!

Another thing you might want to consider is restricting the IPs that users are allowed to connect from.  If you know the IP addresses (or ranges) that your users connect from you could configure a firewall to only accept connections from there.

That's the best I can come up with at the moment....
0
 
scampgbCommented:
Thanks for the "A".  Glad I could help :-)

Putty is a terminal client - it can do telnet and SSH (and rlogin!)
If you were to move to using SSH to replace telnet, then it would be a useful client.  Not much use otherwise!
0
 
eenderleAuthor Commented:
Scampgb
                 We already restrict access by the clients ip addresses, otherwise we would be wide open to the public, we use their ip address and point it to a server and a port and restrict them to that, so i guess were ok for now.... thanks for the help....

Eric.
0
 
scampgbCommented:
Pleasure :-)

Sounds like you've got it well covered!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now