Solved

How to allow access to Lan without opening ports in firewall

Posted on 2006-10-19
13
284 Views
Last Modified: 2013-11-16
Hi,  This is a general question, and I hope it is in the correct area.  

I am looking for a software/hardware product that will allow my remote site and some remote users to access my Lan without having to use VPN technology which requires opening ports in the firewall.  I have a basic NAT firewall and wanted to know if there is a product that could send packets past the firewall without opening ports.

Has anyone heard of such an animal?  I am starting to look at UPnP, so any insight into that would be helpful


thanks,

Mike
0
Comment
Question by:mstefani
  • 3
  • 3
  • 2
  • +3
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If that was possible, what good would the firewall be?
You can look at something like www.gotomypc.com
0
 
LVL 2

Expert Comment

by:robsonde
Comment Utility
a firewall is there to stop things getting in and you want to let things in.

UPnP is a bad thing because it can/will open ports on your router with out you konwing about it.

why is VPN bad??

you could do some reading on port knocking, its a way of opening a port in an on demand kind of way.

Hamachi may be another option, is a VPN that wont need any firewall ports to be opened, I havent used it but it gets good reviews.



0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
"wanted to know if there is a product that could send packets past the firewall."

That is exactly what a VPN does.

"without opening ports"

By definition, if the ports aren't open, then the firewall blocks them. What you say you want is like someone saying "I want to be able to walk through the locked door without unlocking it". Doesn't make much sense, does it?
0
 

Author Comment

by:mstefani
Comment Utility
Thanks for the input so far.

Clarification:  I am thinking of something, like a device, that sits on my remote office lan, and a device that sits on my local lan and they communicate traffic back and forth without having to open a port in the firewall.  This would be like a vpn but without having to worry about a hacker intruding on a vulnerability in the firewall.  The vpn hardware would be behind the firewall.

Am I just dreaming that anything like this could/does exist?  I am trying to be overly secure with this wan.
0
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
If you do not trust your firewall, it does not matter if it has open ports or not.
If you write fw rules the right way, having them closed or having them open just under the right conditions (you can even use port knocking for EXTRA security) is the very same thing.
A VPN would be the best choice for your scenario.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you put a VPN device behind the firewall, then you still have to open ports through the firewall for the VPN traffic - UDP 500/4500 TCP 11000 and ESP traffic.
The most common scenario today is to terminate the VPN directly on the firewall. Agree with paradoxengine, that if you don't currently trust your firewall to handle this task, its time to look at a new one. Cisco ASA is good enough to be used by the US Department of Defense . . .
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 30

Expert Comment

by:pgm554
Comment Utility
You can set up a proxy outside of the firewall in a DMZ.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Having a device on your local LAN and your remote LAN providing a secure communications channel *is* a VPN. If the two devices communicate over TCP/IP, then they will need at least *one* port open to do so. Unless you have they communicate over a dedicated hard line that's completely separate from the Internet, you'll be using a VPN. It's as simple as that.
0
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
Ok, this is how you can do it, if you REALLY have to.
Let's suppose your firewall allows outbound connections.
Place 2 machines outside the firewalls, at each end. Let them enstablish a VPN connection.  Let's call them VPNFarEndPoint
Now add another 2 machines, this time INSIDE the firewall net. Let's call them VPNCloseEndPoint. Let the VPNCloseEndPoint enstablish a VPN connection with the VPNFarEndPoint. You have VPN without opening any port on your firewall.

ASCII ART:

VPNCEP1 ---> (Firewall1) --> VPNFEP1 ---------------------------> VPNFEP2 <---- (Firewall2) <----- VPNCEP2

Do it with linux virtual machines and you can have it for free.
Take care, it's less secure than opening one single port, since you're having VPNFEPs unshielded.
0
 

Author Comment

by:mstefani
Comment Utility
I like that one, but how do you do a VPN from vpncep1 to vpnfep1 without opening a port?

Mike
0
 
LVL 2

Accepted Solution

by:
robsonde earned 250 total points
Comment Utility
Hamachi
0
 
LVL 9

Expert Comment

by:paradoxengine
Comment Utility
VPNFEP1 and 2 will be "outside" the firewall.
0
 

Author Comment

by:mstefani
Comment Utility
Hamachi sounds like the answer.  Thanks robsonde.  I will try it out.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now