Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: How 2 deny all but VPN frm remote site ?

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    5

    How 2 deny all but VPN frm remote site ?

    I have several remote sites that connect via VPN to corporate via various broadbands ( DSL, ISDN, Cable ). Problem is the locals are getting into trouble by surfing when not using VPN through the ISP.
    Would a solution be to shut down all ports save the VPN and would that allow them to continue to surf but forced through the corporate firewall ? Using Cisco. Suggestions for local firewall ( at remote site ) appreciated. Currently using a LinkSyS but it appears too Mickey Mouse for any detailed control.
    Thanks,
    Mike

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I use a linksys for this purpose. I use it to block all outbound except port 1723 and have the users log into the vpn by a "dialup" login, (it's still DSL but M$ insist on calling it dial up). It works fine for me - no problems from the users, they are still limited by my surfing controls and policies etc. and they get what they need.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    Haven't gotten too into vpn yet, but can't you configure most browsers to only use specific connections? vpn connections are considered separate connections by the os usually right? if not nevermind.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    you could set up a proxy at corp and set all the remotes to use it. not olny would you be forcing them threw your filewall but a record will be kept of their surfing. a deterrant in itself

    het TS! could you please go into a little more detail on that
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    You could always setup a pure site to site VPN tunnel. It always on, users have no way of exiting the tunnel as they don't use a software client. It's all taken care of in hardware. IT's possibly cost prohibitive if you've already got stuff in place.

    How exactly is the general setup now? A little more info would help.

    And yeah as usual Tigershark is correct my only concern would be bandwidth, it could be an issue as to what your remote users are doing. I've had engineers try to transfer some rather large files via perforce and it took forever and a day. Always try to do what can in hardware first, only use software when there is no other choice. IMHO.

    peace
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Junior Member
    Join Date
    Apr 2004
    Posts
    5
    Thanks all for the swift replies. Been out of town. Onto another fire. Will reply back with particulars as fog clears.
    Mike

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356

    Re: How 2 deny all but VPN frm remote site ?

    Originally posted here by Mv513
    I have several remote sites that connect via VPN to corporate via various broadbands ( DSL, ISDN, Cable ). Problem is the locals are getting into trouble by surfing when not using VPN through the ISP.
    Would a solution be to shut down all ports save the VPN and would that allow them to continue to surf but forced through the corporate firewall ? Using Cisco. Suggestions for local firewall ( at remote site ) appreciated. Currently using a LinkSyS but it appears too Mickey Mouse for any detailed control.
    Thanks,
    Mike
    Kind of depends on how you have your VPN setup. If you are using IPSEC/ike you deny all outbound access except protocol 50/udp 500. I doubt your LInksys will let you do that, so you could setup your concentrator/vpn to use tcp/10000 instead of protocol 50, and your linksys should be able to filter on that.

    As far as recommendations, for small remote locations, we have used pix-501s and for 40 or so people we have been using pix-506. They are also able to be configured to use a pure site-to-site VPN configuration...

    Hope that helps steer you in the right direction...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Junior Member
    Join Date
    Apr 2004
    Posts
    5
    I just heard that traffic acceleration has a part of the equation. It's a form of QoS (quality of service). Where you give priority for a given traffic. With an ISP data congestion links those packets will have priority over other traffic. ISPs use QOS on port 80 or 443. However if you encapsulate your traffic in to port 10000 you lose the priority, which falls under the "best effort" - it will get there whenever it will…This is where the slowdown occurs.
    Any thoughts on this ?

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Neb: Yep, a Linksys can do that. I filter all ports 1-1722 and 1724-65535 on my linksys and force all my users there to create the VPN tunnel to log in. After that they fall back under my control..... I like control.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Junior Member
    Join Date
    Apr 2004
    Posts
    5
    Looks like HQ is pushing a $1500 Cisco 3200 + C2940 switch solution. 'Course they're not footing the bill.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •