Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 294
  • Last Modified:

How to allow access to Lan without opening ports in firewall

Hi,  This is a general question, and I hope it is in the correct area.  

I am looking for a software/hardware product that will allow my remote site and some remote users to access my Lan without having to use VPN technology which requires opening ports in the firewall.  I have a basic NAT firewall and wanted to know if there is a product that could send packets past the firewall without opening ports.

Has anyone heard of such an animal?  I am starting to look at UPnP, so any insight into that would be helpful


thanks,

Mike
0
mstefani
Asked:
mstefani
  • 3
  • 3
  • 2
  • +3
1 Solution
 
lrmooreCommented:
If that was possible, what good would the firewall be?
You can look at something like www.gotomypc.com
0
 
robsondeCommented:
a firewall is there to stop things getting in and you want to let things in.

UPnP is a bad thing because it can/will open ports on your router with out you konwing about it.

why is VPN bad??

you could do some reading on port knocking, its a way of opening a port in an on demand kind of way.

Hamachi may be another option, is a VPN that wont need any firewall ports to be opened, I havent used it but it gets good reviews.



0
 
PsiCopCommented:
"wanted to know if there is a product that could send packets past the firewall."

That is exactly what a VPN does.

"without opening ports"

By definition, if the ports aren't open, then the firewall blocks them. What you say you want is like someone saying "I want to be able to walk through the locked door without unlocking it". Doesn't make much sense, does it?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
mstefaniAuthor Commented:
Thanks for the input so far.

Clarification:  I am thinking of something, like a device, that sits on my remote office lan, and a device that sits on my local lan and they communicate traffic back and forth without having to open a port in the firewall.  This would be like a vpn but without having to worry about a hacker intruding on a vulnerability in the firewall.  The vpn hardware would be behind the firewall.

Am I just dreaming that anything like this could/does exist?  I am trying to be overly secure with this wan.
0
 
paradoxengineCommented:
If you do not trust your firewall, it does not matter if it has open ports or not.
If you write fw rules the right way, having them closed or having them open just under the right conditions (you can even use port knocking for EXTRA security) is the very same thing.
A VPN would be the best choice for your scenario.
0
 
lrmooreCommented:
If you put a VPN device behind the firewall, then you still have to open ports through the firewall for the VPN traffic - UDP 500/4500 TCP 11000 and ESP traffic.
The most common scenario today is to terminate the VPN directly on the firewall. Agree with paradoxengine, that if you don't currently trust your firewall to handle this task, its time to look at a new one. Cisco ASA is good enough to be used by the US Department of Defense . . .
0
 
pgm554Commented:
You can set up a proxy outside of the firewall in a DMZ.
0
 
PsiCopCommented:
Having a device on your local LAN and your remote LAN providing a secure communications channel *is* a VPN. If the two devices communicate over TCP/IP, then they will need at least *one* port open to do so. Unless you have they communicate over a dedicated hard line that's completely separate from the Internet, you'll be using a VPN. It's as simple as that.
0
 
paradoxengineCommented:
Ok, this is how you can do it, if you REALLY have to.
Let's suppose your firewall allows outbound connections.
Place 2 machines outside the firewalls, at each end. Let them enstablish a VPN connection.  Let's call them VPNFarEndPoint
Now add another 2 machines, this time INSIDE the firewall net. Let's call them VPNCloseEndPoint. Let the VPNCloseEndPoint enstablish a VPN connection with the VPNFarEndPoint. You have VPN without opening any port on your firewall.

ASCII ART:

VPNCEP1 ---> (Firewall1) --> VPNFEP1 ---------------------------> VPNFEP2 <---- (Firewall2) <----- VPNCEP2

Do it with linux virtual machines and you can have it for free.
Take care, it's less secure than opening one single port, since you're having VPNFEPs unshielded.
0
 
mstefaniAuthor Commented:
I like that one, but how do you do a VPN from vpncep1 to vpnfep1 without opening a port?

Mike
0
 
robsondeCommented:
Hamachi
0
 
paradoxengineCommented:
VPNFEP1 and 2 will be "outside" the firewall.
0
 
mstefaniAuthor Commented:
Hamachi sounds like the answer.  Thanks robsonde.  I will try it out.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now