JohnBPrice
asked on
Windows Firewall not protecting IP Routing?
I was setting up OpenVPN so that I can access my work LAN from the outside (Currently using MS VPN). In order to access the LAN via OpenVPN, they say you have to enable IP routing on the openVPN server (which is XP Pro SP2), see http://openvpn.net/index.php/documentation/howto.html#scope
This worked fine, however once I enabled IP routing not only the VPN clients can route to my LAN, but every machine in my DMZ can now route to the LAN. I have the XP Firewall set to only allow access to the openVPN port 1194 and only from my PIX 501 (which NATs in a public IP). A machine in my DMZ can route to my internal LAN just by adding a route through the openVPN server. They can't ping the openVPN server, they can't access any files or services on the openVPN server, but they can still route through it. They can ping through it, they can do remote desktop through it. Thus if any of my DMZ machines were compromised, they would have clear access to my LAN, which kind of defeats the point of a DMZ. Is this a bug? Did I do something wrong? See attached picture for config.
OpenVPN.JPG
This worked fine, however once I enabled IP routing not only the VPN clients can route to my LAN, but every machine in my DMZ can now route to the LAN. I have the XP Firewall set to only allow access to the openVPN port 1194 and only from my PIX 501 (which NATs in a public IP). A machine in my DMZ can route to my internal LAN just by adding a route through the openVPN server. They can't ping the openVPN server, they can't access any files or services on the openVPN server, but they can still route through it. They can ping through it, they can do remote desktop through it. Thus if any of my DMZ machines were compromised, they would have clear access to my LAN, which kind of defeats the point of a DMZ. Is this a bug? Did I do something wrong? See attached picture for config.
OpenVPN.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Qlemo
How is it possible that a machine on DMZ has access to the OpenVPN server?
I think your VPN server is routing traffic once you enabled it, I may be wrong though: "however once I enabled IP routing "
ASKER
Thanks,
BLipman: A VLAN is an interesting idea, I don't think the PIX 501 does VLAN's, but my internal LAN switch does, maybe there is something I can work out with that idea.
RE: Dynamic routing protocols and RIP, the problem is not that the routing occurs, but that the Windows Firewall doesn't control it.
BTW, OpenVPN is not IPSEC, it is SSL. (and it's free, which is currently a constraint of mine)
Olemo, my Pix 501 does not have separate inside and DMZ zones, I'm faking a DMZ with a second (elCheapo home use) firewall between the PIX and the LAN. This ElCheapo firewall doesn't do more than one NAT. Thus in order to VPN in, I have to pass the PIX, and then either pass the ElCheapo, or bypass the ElCheapo, which is what I was trying to achieve with OpenVPN. I can put the OpenVPN server is inside and port forward to that, thus eliminating the need for routing, but I would have to have an inbound public IP routed to the ElCheapo and I am not really comfortable with that. I can't switch the ElCheapo with the PIX 501, because as I said, the ElCheapo doesn't do more than one NAT so I couldn't have multiple servers inside my DMZ. Any suggestions would be welcome.
BLiman, I'm quite sure it is not the OpenVPN VPN software. It is quite clearly when I enable routing on the box, the Windows (POS) firewall doesn't control the routing.
BLipman: A VLAN is an interesting idea, I don't think the PIX 501 does VLAN's, but my internal LAN switch does, maybe there is something I can work out with that idea.
RE: Dynamic routing protocols and RIP, the problem is not that the routing occurs, but that the Windows Firewall doesn't control it.
BTW, OpenVPN is not IPSEC, it is SSL. (and it's free, which is currently a constraint of mine)
Olemo, my Pix 501 does not have separate inside and DMZ zones, I'm faking a DMZ with a second (elCheapo home use) firewall between the PIX and the LAN. This ElCheapo firewall doesn't do more than one NAT. Thus in order to VPN in, I have to pass the PIX, and then either pass the ElCheapo, or bypass the ElCheapo, which is what I was trying to achieve with OpenVPN. I can put the OpenVPN server is inside and port forward to that, thus eliminating the need for routing, but I would have to have an inbound public IP routed to the ElCheapo and I am not really comfortable with that. I can't switch the ElCheapo with the PIX 501, because as I said, the ElCheapo doesn't do more than one NAT so I couldn't have multiple servers inside my DMZ. Any suggestions would be welcome.
BLiman, I'm quite sure it is not the OpenVPN VPN software. It is quite clearly when I enable routing on the box, the Windows (POS) firewall doesn't control the routing.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
"The problem with fake-DMZ is that you do not have real protection, as you see."
Better options?
Right now, I do have VPN access which I believe is pretty safe, but has issues. What I do now is use Cisco VPN to get through the PIX, and then port forward MS VPN packets to an inside Windows Server, which then you then get through using MS VPN. The PIX doesn't allow MS VPN packets in unless they come through the Cisco VPN, and the only way into the LAN is MS VPN packets which go directly to the MS Server. If a DMZ machine got compromised, the MS VPN will still protect the LAN. I think it is pretty safe, but it is slow as a dog being double VPN, plus I want to get rid of the MS VPN.
What I would like to achieve is:
- A single VPN to get to the LAN
- The LAN is still protected even if one of my DMZ machines get compromised.
- Use either Cisco VPN or OpenVPN clients (I am trying to be able to administer my machines with my Nokia N810 which has only Cisco and OpenVPN clients)
- Must be free (or nearly so). I already have the Cisco VPN licenses, so that is fair game. This is strictly for fun and my convenience, so I can't really justify spending much.
What would think if I put the OpenVPN inside the LAN (one NIC), have the PIX forward only port 1194 from a dedicated IP address to the ElCheapo but not require the Cisco VPN, and have the ElCheapo port forward the 1194 packets to the open VPN? If a DMZ machine got compromised, they would still have to break either the ElCheapo or the OpenVPN, since only 1194 packets would get through? Anyone could send 1194 packets into my LAN, exposing the OpenVPN to DoS attacks, but I might be able to set the PIX to detect and stop them.
I would prefer to use just the Cisco VPN client, since OpenVPN is apain and I already understand the Cisco VPN, but I can't figure out asafe way to do it.
Better options?
Right now, I do have VPN access which I believe is pretty safe, but has issues. What I do now is use Cisco VPN to get through the PIX, and then port forward MS VPN packets to an inside Windows Server, which then you then get through using MS VPN. The PIX doesn't allow MS VPN packets in unless they come through the Cisco VPN, and the only way into the LAN is MS VPN packets which go directly to the MS Server. If a DMZ machine got compromised, the MS VPN will still protect the LAN. I think it is pretty safe, but it is slow as a dog being double VPN, plus I want to get rid of the MS VPN.
What I would like to achieve is:
- A single VPN to get to the LAN
- The LAN is still protected even if one of my DMZ machines get compromised.
- Use either Cisco VPN or OpenVPN clients (I am trying to be able to administer my machines with my Nokia N810 which has only Cisco and OpenVPN clients)
- Must be free (or nearly so). I already have the Cisco VPN licenses, so that is fair game. This is strictly for fun and my convenience, so I can't really justify spending much.
What would think if I put the OpenVPN inside the LAN (one NIC), have the PIX forward only port 1194 from a dedicated IP address to the ElCheapo but not require the Cisco VPN, and have the ElCheapo port forward the 1194 packets to the open VPN? If a DMZ machine got compromised, they would still have to break either the ElCheapo or the OpenVPN, since only 1194 packets would get through? Anyone could send 1194 packets into my LAN, exposing the OpenVPN to DoS attacks, but I might be able to set the PIX to detect and stop them.
I would prefer to use just the Cisco VPN client, since OpenVPN is apain and I already understand the Cisco VPN, but I can't figure out asafe way to do it.
ASKER
Looks my question is now dead to the world, so points for helping.