[THIN] Re: WHY
- From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 30 Apr 2008 15:49:01 +0100
Here is a beautiful text representation of how I see it
Tunnel to cag internal network
Me =========== CAG -------------------- INTERNAL
If I setup an ipsec vpn connection to my network via a VPN (cag) I don't
want that VPN to route external traffic out, I don't want it to make that
decision: I want all traffic from my endpoint channelled through the tunnel
to the VPN, and onto the internal network (rules permitting). At a base
level its inefficient - whats the point in sending it though the tunnel if
it is meant to be external?
Maybe I elect to only perform *some* tunnelling - in which case external
traffic goes out from 'Me' and never goes through the tunnel (i.e. split
tunnelling - and at this point my network security chappie has a heart
attack). But, if traffic goes through the tunnel it comes out on the
internal network (rules permitting) - the CAG isn't responsible for deciding
if network traffic that comes through the tunnel should just be routed out
directly onto the web.
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Berny Stapleton
Sent: 30 April 2008 14:57
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WHY
But the CAG wouldn't see the packet come into the internal interface as it's
not coming across the wire of the ethernet interface, so why should it
consider it internal traffic?
2008/4/30 Andrew Wood <andrew.wood@xxxxxxxxxxxxxxxx>:
I'd have thought that if the routing address on your internal interface was
correct, that all traffic going through the CAG should head through the
internal interface - and then be routed out through the normal channels for
internal network traffic to the internet (which is unlikely to be the CAG)
Otherwise, someone connecting on the external interface is being routed
straight out onto the web - bypassing any filters/caching/auditing/scanning
that you've got set up.
This doesn't help Chad mind - other than agreeing with him that whats
happening sounds wrong
a.
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Berny Stapleton
Sent: 30 April 2008 14:26
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: WHY
OK, maybe this is just me and my limited experience with CAG...
A VPN session which I presume is a connection from the internet (External)
to the CAG, the CAG being a gateway device between external internet and
internal network, when you bring up a VPN session, or in this case I presume
IPSEC policy between the two devices (Client PC and the CAG) which would
give you a IPSEC policy to the CAG and any traffic you send to it through
the IPSEC policy would end up on it's local routing table. At which point it
has to make a routing decision about where to send the traffic, it's an
external address so therefore it would send it to the external interface and
therefore external address.
That seems logical to me. My question to you is, unless the destination
address is the internal network, why SHOULD it send it via the internal
interface? My only educated guess on this one is that you used part of your
INTERNAL address space for the addresses you assigned to the CAG for it to
hand out to clients, when as far as I can see, the clients should have been
treated or thought of as DMZ interfaces / connections.
This is just what I am thinking about having done firewall admin before.
If I am wrong on this one, and completley off base, please let me know, my
experiece with CAG is limited.
Berny
2008/4/30 Chad Schneider (IT) <Chad.M.Schneider@xxxxxxxxxxxxx>:
Does a VPN session to the CAG, route external bound internet traffic through
the CAG external interface, rather than through the CAG Internal interface?
I am watching the traffic, from our CAG internal IP range, when making a
request to google.com, the traffic goes out the CAG INT0(External).
Chad Schneider
Systems Engineer
ThedaCare IT
920-735-7615
Other related posts:
