Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
best practice-VPN vs inbound rule
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
best practice-VPN vs inbound rule - 14.Apr.2008 9:23:37 PM
|
|
|
RedDog
Posts: 74
Joined: 11.Feb.2002
Status: offline
|
Vendor wants to connect through internet to control device on our network, via port 80, inbound. We do not host our own web site, co currently have no inbound port 80 traffic. If allowed, I would make rule allowing inbound from their IP only to device's IP only.
I want to require use of VPN.
What (generally) would best practice be? (Vendor doesn't want to use VPN). If VPN is (generally) recommended, why?
My arguement is that I just don't like allowing ANY inbound on port 80 (cannot use an alternative port). VPN more secure while traveling through internet, but vendors' control device doesn't really carry any "secrets", so vendor doesn't care about that.
Comments?
|
|
|
|
|
RE: best practice-VPN vs inbound rule - 15.Apr.2008 4:12:19 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
You two choices to avoid port 80.
Option 1. Insist on VPN. Then use an Access Rule to limit traffic from the specific VPN user to the specific target machine on port 80
Source: VPN Client Network
Destination: <IP# of Server running port 80>
User: <the specific user account you create for them>
Protocol: HTTP
Option #2. Do a Web Server Publsing Rule that uses a Listener on some other odd port. Then send it back the the published server on port 80. The web server publishing can get more specific about the source of the traffic than other types of publishing rules can get.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: best practice-VPN vs inbound rule - 15.Apr.2008 4:19:53 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
By the way,...don't forget they are only the Vendor,...it "ain't their network",..it is yours,...you make the rules, not them. They need to adjust how they do things (or how they are willing to do things) to accomidate you,..not the reverse. If it was you accessing their network, then they would be expected to dictate how things are.
As far as the thing not "carrying any secrets",.fine, but it doesn't matter if they don't care about that part,..it is your network being entered from the outside, it is your network absorbing the risk,..not their server. "Who cares" about the data moving over the wire,..it is the fact that a connection is allowed and what else might be able to use the connection.
Now I'm not saying that this is a high-risk situation, it probably isn't, but I am speaking about principles and who is potentially at risk and who needs to be "incharge".
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
