Solved

How to allow access to Lan without opening ports in firewall

Posted on 2006-10-19
13
287 Views
Last Modified: 2013-11-16
Hi,  This is a general question, and I hope it is in the correct area.  

I am looking for a software/hardware product that will allow my remote site and some remote users to access my Lan without having to use VPN technology which requires opening ports in the firewall.  I have a basic NAT firewall and wanted to know if there is a product that could send packets past the firewall without opening ports.

Has anyone heard of such an animal?  I am starting to look at UPnP, so any insight into that would be helpful


thanks,

Mike
0
Comment
Question by:mstefani
  • 3
  • 3
  • 2
  • +3
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17771029
If that was possible, what good would the firewall be?
You can look at something like www.gotomypc.com
0
 
LVL 2

Expert Comment

by:robsonde
ID: 17771034
a firewall is there to stop things getting in and you want to let things in.

UPnP is a bad thing because it can/will open ports on your router with out you konwing about it.

why is VPN bad??

you could do some reading on port knocking, its a way of opening a port in an on demand kind of way.

Hamachi may be another option, is a VPN that wont need any firewall ports to be opened, I havent used it but it gets good reviews.



0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17771165
"wanted to know if there is a product that could send packets past the firewall."

That is exactly what a VPN does.

"without opening ports"

By definition, if the ports aren't open, then the firewall blocks them. What you say you want is like someone saying "I want to be able to walk through the locked door without unlocking it". Doesn't make much sense, does it?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:mstefani
ID: 17774425
Thanks for the input so far.

Clarification:  I am thinking of something, like a device, that sits on my remote office lan, and a device that sits on my local lan and they communicate traffic back and forth without having to open a port in the firewall.  This would be like a vpn but without having to worry about a hacker intruding on a vulnerability in the firewall.  The vpn hardware would be behind the firewall.

Am I just dreaming that anything like this could/does exist?  I am trying to be overly secure with this wan.
0
 
LVL 9

Expert Comment

by:paradoxengine
ID: 17774815
If you do not trust your firewall, it does not matter if it has open ports or not.
If you write fw rules the right way, having them closed or having them open just under the right conditions (you can even use port knocking for EXTRA security) is the very same thing.
A VPN would be the best choice for your scenario.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17774836
If you put a VPN device behind the firewall, then you still have to open ports through the firewall for the VPN traffic - UDP 500/4500 TCP 11000 and ESP traffic.
The most common scenario today is to terminate the VPN directly on the firewall. Agree with paradoxengine, that if you don't currently trust your firewall to handle this task, its time to look at a new one. Cisco ASA is good enough to be used by the US Department of Defense . . .
0
 
LVL 30

Expert Comment

by:pgm554
ID: 17777971
You can set up a proxy outside of the firewall in a DMZ.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17778330
Having a device on your local LAN and your remote LAN providing a secure communications channel *is* a VPN. If the two devices communicate over TCP/IP, then they will need at least *one* port open to do so. Unless you have they communicate over a dedicated hard line that's completely separate from the Internet, you'll be using a VPN. It's as simple as that.
0
 
LVL 9

Expert Comment

by:paradoxengine
ID: 17779284
Ok, this is how you can do it, if you REALLY have to.
Let's suppose your firewall allows outbound connections.
Place 2 machines outside the firewalls, at each end. Let them enstablish a VPN connection.  Let's call them VPNFarEndPoint
Now add another 2 machines, this time INSIDE the firewall net. Let's call them VPNCloseEndPoint. Let the VPNCloseEndPoint enstablish a VPN connection with the VPNFarEndPoint. You have VPN without opening any port on your firewall.

ASCII ART:

VPNCEP1 ---> (Firewall1) --> VPNFEP1 ---------------------------> VPNFEP2 <---- (Firewall2) <----- VPNCEP2

Do it with linux virtual machines and you can have it for free.
Take care, it's less secure than opening one single port, since you're having VPNFEPs unshielded.
0
 

Author Comment

by:mstefani
ID: 17781288
I like that one, but how do you do a VPN from vpncep1 to vpnfep1 without opening a port?

Mike
0
 
LVL 2

Accepted Solution

by:
robsonde earned 250 total points
ID: 17781925
Hamachi
0
 
LVL 9

Expert Comment

by:paradoxengine
ID: 17782011
VPNFEP1 and 2 will be "outside" the firewall.
0
 

Author Comment

by:mstefani
ID: 17782642
Hamachi sounds like the answer.  Thanks robsonde.  I will try it out.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question