[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IPsec and remote access] Security Policy Configuration

To: ipsec@lists.tislabs.com
Subject: [IPsec and remote access] Security Policy Configuration
From: Antonio Forzieri <antonio.forzieri@cefriel.it>
Date: Tue, 04 Feb 2003 16:35:57 +0100
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021212

Hi All,
RFC 3457 states that there are 5 basic categories of requirements 
relevant to secure remote access scenarios:

- Endpoint Authentication ;
- Remote Host Configuration ;
- Security Policy Configuration ;
- Auditing ;
- Intermediary Traversal ;

However while, we've long discussed about Endpoint Authentication
(SLA&IKEv2), Remote Host Configuration (RFC3456 or CP), Intermediary 
traversal (NA(P)T traversing), I beleave we left out the Security Policy 
Configuration.

 From RFC 3457:

"Security policy configuration refers to IPsec access policies for
both the remote access client and the security gateway.  It may be
desirable to configure access policies on connecting IRAC systems
which will protect the target network.  For example, since a client
has access to the Internet (via its routable address), other systems
on the Internet also have some level of reciprocal access to the
client.  In some cases, it may be desirable to block this Internet
access (or force it to pass through the tunnel) while the client has
a tunneled connection to the target network.  This is a matter of
client security policy configuration."

I think will be a good Idea to force the IRAC's SPD entries. I'm 
thinking i.e. of a scenario where someone wants to access to his 
corporate network using a public machine (i.e. from the airport or from 
the hotel), and in the corporate network the SGW is behind a firewall, 
in this case, where we can't trust the airport PC, and the "corporate 
firewall" can't inspect the packets in the tunnel because of the 
encryption we have to force SPD's enties on the IRAC to protect the 
corporate network.
The IRAC's SPD should be something like this:

OUTBOUND:
FROM IP(IRAC):[PORT] TO IP(SGW)/xx :[PORT] IPSEC
FROM IP(IRAC):[PORT] TO AnyHost    :[PORT] Discard

INBOUND
FROM IP(SGW)/xx :[PORT] TO IP(IRAC):[PORT] IPSEC
FROM AnyHost    :[PORT] TO IP(IRAC):[PORT] Discard

Am I right or there is something that I can't see ?
-- 
------------------------------------------------
Antonio Forzieri
CEFRIEL - Politecnico di Milano
Tesista Area E-Service Tecnologies
Tel: 02-23954.334 - email: forzieri@cefriel.it
------------------------------------------------

Prev by Date: Re: Modefg considered harmful
Next by Date: RE: Modefg considered harmful
Prev by thread: RE: WG Last Call draft-ietf-ipsec-dpd-01.txt
Next by thread: Re: Moving forward with IKE V2: A proposal for final edits to ikev2-04
Index(es):
- Date
- Thread