[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: scenario: Authenticated Firewall Traversal



At 02:10 PM 10/25/95 GMT, William Allen Simpson wrote:
>An administrator has one or more networks, and a number of mobile users.
>It is desirable to restrict access to authorized external users. The
>boundary router is 3.0.0.3.
>
>Each user adds commands to tunnel and authenticate.
>
>   route addp 3.0.0.0/8 tunnel 3.0.0.3
>   secure 3.0.0.3 authenticate-only
>
I want to walk through this example a lot slower with some 'real world'
flavor to it.

First off, the external reachable address is not on the same network as the
internal stuff (firewall is a CIDR block, internal is a registered B and
some 1597 nets).  So:

   route addp 129.9.0.0/16 tunnel 198.100.100.1
   route addp 172.16.0.0/16 tunnel 198.100.100.1
   route addp 192.168.0.0/22 tunnel 198.100.100.1
   secure 198.100.100.1 authenticate-only

Correct?

Next, of course the public DNS knows nothing about these systems behind the
firewall so resolv.conf needs:

domain foo.com
nameserver 1.1.1.1  ; ISP's DNS
nameserver 129.9.241.19  ; internal DNS

A resolve of host.fin.foo.com would result in two UDP attempts.  The first
to 1.1.1.1 that would not know of this name.  Would resolve then actually
try the 2nd address (well Novell's LWP would becuase it does the whole list
at once, not waiting for failures).  Assuming that the 2nd request went out,
it would result in an encrypted pass through the firewall.  If this is the
first shot at the internal net, this packet might timeout resulting in a
second one.  Is all of this correct?

Now I am ready to access TCP and UDP apps inside the firewalled net...

BTW, there is a BIG market for this in Corporate US  (I've grown from 100 to
3000 remote PPP users this year; next might double the total).

Robert Moskowitz
Chrysler Corporation
(810) 758-8212