We help IT Professionals succeed at work.

How to allow access to Lan without opening ports in firewall

mstefani
mstefani asked
on
Medium Priority
311 Views
Last Modified: 2013-11-16
Hi,  This is a general question, and I hope it is in the correct area.  

I am looking for a software/hardware product that will allow my remote site and some remote users to access my Lan without having to use VPN technology which requires opening ports in the firewall.  I have a basic NAT firewall and wanted to know if there is a product that could send packets past the firewall without opening ports.

Has anyone heard of such an animal?  I am starting to look at UPnP, so any insight into that would be helpful


thanks,

Mike
Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
If that was possible, what good would the firewall be?
You can look at something like www.gotomypc.com

Commented:
a firewall is there to stop things getting in and you want to let things in.

UPnP is a bad thing because it can/will open ports on your router with out you konwing about it.

why is VPN bad??

you could do some reading on port knocking, its a way of opening a port in an on demand kind of way.

Hamachi may be another option, is a VPN that wont need any firewall ports to be opened, I havent used it but it gets good reviews.



CERTIFIED EXPERT

Commented:
"wanted to know if there is a product that could send packets past the firewall."

That is exactly what a VPN does.

"without opening ports"

By definition, if the ports aren't open, then the firewall blocks them. What you say you want is like someone saying "I want to be able to walk through the locked door without unlocking it". Doesn't make much sense, does it?

Author

Commented:
Thanks for the input so far.

Clarification:  I am thinking of something, like a device, that sits on my remote office lan, and a device that sits on my local lan and they communicate traffic back and forth without having to open a port in the firewall.  This would be like a vpn but without having to worry about a hacker intruding on a vulnerability in the firewall.  The vpn hardware would be behind the firewall.

Am I just dreaming that anything like this could/does exist?  I am trying to be overly secure with this wan.
If you do not trust your firewall, it does not matter if it has open ports or not.
If you write fw rules the right way, having them closed or having them open just under the right conditions (you can even use port knocking for EXTRA security) is the very same thing.
A VPN would be the best choice for your scenario.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
If you put a VPN device behind the firewall, then you still have to open ports through the firewall for the VPN traffic - UDP 500/4500 TCP 11000 and ESP traffic.
The most common scenario today is to terminate the VPN directly on the firewall. Agree with paradoxengine, that if you don't currently trust your firewall to handle this task, its time to look at a new one. Cisco ASA is good enough to be used by the US Department of Defense . . .
CERTIFIED EXPERT

Commented:
You can set up a proxy outside of the firewall in a DMZ.
CERTIFIED EXPERT

Commented:
Having a device on your local LAN and your remote LAN providing a secure communications channel *is* a VPN. If the two devices communicate over TCP/IP, then they will need at least *one* port open to do so. Unless you have they communicate over a dedicated hard line that's completely separate from the Internet, you'll be using a VPN. It's as simple as that.
Ok, this is how you can do it, if you REALLY have to.
Let's suppose your firewall allows outbound connections.
Place 2 machines outside the firewalls, at each end. Let them enstablish a VPN connection.  Let's call them VPNFarEndPoint
Now add another 2 machines, this time INSIDE the firewall net. Let's call them VPNCloseEndPoint. Let the VPNCloseEndPoint enstablish a VPN connection with the VPNFarEndPoint. You have VPN without opening any port on your firewall.

ASCII ART:

VPNCEP1 ---> (Firewall1) --> VPNFEP1 ---------------------------> VPNFEP2 <---- (Firewall2) <----- VPNCEP2

Do it with linux virtual machines and you can have it for free.
Take care, it's less secure than opening one single port, since you're having VPNFEPs unshielded.

Author

Commented:
I like that one, but how do you do a VPN from vpncep1 to vpnfep1 without opening a port?

Mike
Commented:
Hamachi

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
VPNFEP1 and 2 will be "outside" the firewall.

Author

Commented:
Hamachi sounds like the answer.  Thanks robsonde.  I will try it out.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.