> -----Original Message-----
> From: Stephen Swann [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 8 June 2000 12:53 AM
> To: [EMAIL PROTECTED]
> Subject: Re: WatchGuard Firebox how is it ?
>
>
> On Wed, Jun 07, 2000 at 09:31:23AM -0500, Larry Letterman wrote:
> > I have eval'd the Fbox II and the SOHO unit. The install
> > was easy and the functions provided the items that the docs
> said they would.
> > Performance was above average and the reports were very good.
>
> Does anyone know of an appliance firewall of the Watchguard/SonicWall
> variety that will create a VPN tunnel to a concentrator only upon
> request by an authenticated user?
I don't know of an appliance firewall that fits the bill, but there may be
some ugly ways to do it...
Cisco routers support both IPSec and a thing called "Lock and Key Access
Lists". You could do something like this:
1. Internal user telnets to the Cisco
2. User passes authentication (RADIUS, TACACS+ etc)
3. The router temporarily opens a hole in an ACL that allows traffic to be
sent over the VPN
4. User starts talking to VPN resource
5. Hole gets closed after an idle or absolute) timeout
I know that's a little ugly - a two-step process for the user etc, but it
has the property you're after. You could certainly do the same thing with an
OpenBSD box running ipf and ipsec - you might have to cut some code though.
If you have money to burn you could investigate one of the solutions whereby
users get put into different VLANs based on their login. Then you could
simply allow source IP addresses in your trusted VLAN. Note that I will be
beaten about the head and neck for suggesting this because VLANs may not be
secure and IP spoofing is easy.
>
> Thanks,
> Steve
> [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
I love ugly, convoluted solutions to apparently simple problems. ;)
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
