How to allow access to Lan without opening ports in firewall
Hi, This is a general question, and I hope it is in the correct area.
I am looking for a software/hardware product that will allow my remote site and some remote users to access my Lan without having to use VPN technology which requires opening ports in the firewall. I have a basic NAT firewall and wanted to know if there is a product that could send packets past the firewall without opening ports.
Has anyone heard of such an animal? I am starting to look at UPnP, so any insight into that would be helpful
thanks,
Mike
I am looking for a software/hardware product that will allow my remote site and some remote users to access my Lan without having to use VPN technology which requires opening ports in the firewall. I have a basic NAT firewall and wanted to know if there is a product that could send packets past the firewall without opening ports.
Has anyone heard of such an animal? I am starting to look at UPnP, so any insight into that would be helpful
thanks,
Mike
a firewall is there to stop things getting in and you want to let things in.
UPnP is a bad thing because it can/will open ports on your router with out you konwing about it.
why is VPN bad??
you could do some reading on port knocking, its a way of opening a port in an on demand kind of way.
Hamachi may be another option, is a VPN that wont need any firewall ports to be opened, I havent used it but it gets good reviews.
UPnP is a bad thing because it can/will open ports on your router with out you konwing about it.
why is VPN bad??
you could do some reading on port knocking, its a way of opening a port in an on demand kind of way.
Hamachi may be another option, is a VPN that wont need any firewall ports to be opened, I havent used it but it gets good reviews.
"wanted to know if there is a product that could send packets past the firewall."
That is exactly what a VPN does.
"without opening ports"
By definition, if the ports aren't open, then the firewall blocks them. What you say you want is like someone saying "I want to be able to walk through the locked door without unlocking it". Doesn't make much sense, does it?
That is exactly what a VPN does.
"without opening ports"
By definition, if the ports aren't open, then the firewall blocks them. What you say you want is like someone saying "I want to be able to walk through the locked door without unlocking it". Doesn't make much sense, does it?
ASKER
Thanks for the input so far.
Clarification: I am thinking of something, like a device, that sits on my remote office lan, and a device that sits on my local lan and they communicate traffic back and forth without having to open a port in the firewall. This would be like a vpn but without having to worry about a hacker intruding on a vulnerability in the firewall. The vpn hardware would be behind the firewall.
Am I just dreaming that anything like this could/does exist? I am trying to be overly secure with this wan.
Clarification: I am thinking of something, like a device, that sits on my remote office lan, and a device that sits on my local lan and they communicate traffic back and forth without having to open a port in the firewall. This would be like a vpn but without having to worry about a hacker intruding on a vulnerability in the firewall. The vpn hardware would be behind the firewall.
Am I just dreaming that anything like this could/does exist? I am trying to be overly secure with this wan.
If you do not trust your firewall, it does not matter if it has open ports or not.
If you write fw rules the right way, having them closed or having them open just under the right conditions (you can even use port knocking for EXTRA security) is the very same thing.
A VPN would be the best choice for your scenario.
If you write fw rules the right way, having them closed or having them open just under the right conditions (you can even use port knocking for EXTRA security) is the very same thing.
A VPN would be the best choice for your scenario.
If you put a VPN device behind the firewall, then you still have to open ports through the firewall for the VPN traffic - UDP 500/4500 TCP 11000 and ESP traffic.
The most common scenario today is to terminate the VPN directly on the firewall. Agree with paradoxengine, that if you don't currently trust your firewall to handle this task, its time to look at a new one. Cisco ASA is good enough to be used by the US Department of Defense . . .
The most common scenario today is to terminate the VPN directly on the firewall. Agree with paradoxengine, that if you don't currently trust your firewall to handle this task, its time to look at a new one. Cisco ASA is good enough to be used by the US Department of Defense . . .
You can set up a proxy outside of the firewall in a DMZ.
Having a device on your local LAN and your remote LAN providing a secure communications channel *is* a VPN. If the two devices communicate over TCP/IP, then they will need at least *one* port open to do so. Unless you have they communicate over a dedicated hard line that's completely separate from the Internet, you'll be using a VPN. It's as simple as that.
Ok, this is how you can do it, if you REALLY have to.
Let's suppose your firewall allows outbound connections.
Place 2 machines outside the firewalls, at each end. Let them enstablish a VPN connection. Let's call them VPNFarEndPoint
Now add another 2 machines, this time INSIDE the firewall net. Let's call them VPNCloseEndPoint. Let the VPNCloseEndPoint enstablish a VPN connection with the VPNFarEndPoint. You have VPN without opening any port on your firewall.
ASCII ART:
VPNCEP1 ---> (Firewall1) --> VPNFEP1 --------------------------
Do it with linux virtual machines and you can have it for free.
Take care, it's less secure than opening one single port, since you're having VPNFEPs unshielded.
Let's suppose your firewall allows outbound connections.
Place 2 machines outside the firewalls, at each end. Let them enstablish a VPN connection. Let's call them VPNFarEndPoint
Now add another 2 machines, this time INSIDE the firewall net. Let's call them VPNCloseEndPoint. Let the VPNCloseEndPoint enstablish a VPN connection with the VPNFarEndPoint. You have VPN without opening any port on your firewall.
ASCII ART:
VPNCEP1 ---> (Firewall1) --> VPNFEP1 --------------------------
Do it with linux virtual machines and you can have it for free.
Take care, it's less secure than opening one single port, since you're having VPNFEPs unshielded.
ASKER
I like that one, but how do you do a VPN from vpncep1 to vpnfep1 without opening a port?
Mike
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
VPNFEP1 and 2 will be "outside" the firewall.
ASKER
Hamachi sounds like the answer. Thanks robsonde. I will try it out.
You can look at something like www.gotomypc.com