How to restrict incoming VPN to one internal IP address

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I want certain incoming VPN users on our Windows 2000 server to only have
access to a single IP address on our network (a non Windows mini computer).
Is this possible, and if so how can it be set up? We have ISAS on the server.
 
John Austin said:
I want certain incoming VPN users on our Windows 2000 server to only have
access to a single IP address on our network (a non Windows mini computer).
Is this possible, and if so how can it be set up? We have ISAS on the server.

Your firewall should handle this. You tell it to send
packets meant for port 1723 to the appropriate
IP address.
 
Your firewall should handle this. You tell it to send
packets meant for port 1723 to the appropriate
IP address.

I think it's a little more complicated than just a blanket rule - the OP
said "Certain users to access only a single IP address" meaning that
other users could access many or different IP addresses. So, you need a
firewall rule, based on User authentication, to restrict the IP that the
user can access.

So, rule 1 - User XYZ can access IP 10.0.0.50
rule 2 - User Group ABC can access IP 10.0.0.0/8
rule 3 - User Group HGF can access IP 10.0.0.20

I don't have a clue how to do it on ISA (since I would never use ISA),
but I thought the OP's request should be explained (from what I could
read of it).
 
Leythos said:
I think it's a little more complicated than just a blanket rule - the OP
said "Certain users to access only a single IP address" meaning that
other users could access many or different IP addresses. So, you need a
firewall rule, based on User authentication, to restrict the IP that the
user can access.

So, rule 1 - User XYZ can access IP 10.0.0.50
rule 2 - User Group ABC can access IP 10.0.0.0/8
rule 3 - User Group HGF can access IP 10.0.0.20

I don't have a clue how to do it on ISA (since I would never use ISA),
but I thought the OP's request should be explained (from what I could
read of it).

Good point!

If the users use the same external IP address each time then a set
of IP-based rules could be designed as per your own table:

Rule 1 - External IP address 79.78.77.76 can access IP 10.0.0.50
Rule 2 - External IP address 84.84.85.86 can access IP 10.0.0.0/8
Rule 3 - External IP address 55.45.35.25 can access IP 10.0.0.20
 
Why would you never use ISA? Just because it is MS doesn't mean it isn't
secure. I personally believe it is one of the best and I have tried them
ALL!!
 
Why would you never use ISA? Just because it is MS doesn't mean it isn't
secure. I personally believe it is one of the best and I have tried them
ALL!!

And I've used every appliance on the market and also ISA a couple years
ago. I would never trust a firewall product running on any local
computer that serves anything other than a firewall service, and, even
though I'm a MS Partner and ISV, I would never consider ISA for any
client. I'll stick with CISCO PIX and WatchGuard for firewall appliances
and for Unix/CheckPoint for Firewall Servers.
 
Why would you never use ISA? Just because it is MS doesn't mean it isn't
secure. I personally believe it is one of the best and I have tried them
ALL!!

This might explain it - since I've never seen an alert for the firewalls
that I use like this in years.

MS04-039 - Vulnerability in ISA Server 2000 and Proxy Server
2.0 Could Allow Internet Content Spoofing (888258)

- Affected Software:
- Microsoft Proxy Server 2.0 Service Pack 1
- Microsoft Internet Security and Acceleration
Server 2000 Service Pack 1 and Microsoft Internet
Security and Acceleration Server 2000
Service Pack 2
- Microsoft Small Business Server 2000 (which
includes Microsoft Internet Security and
Acceleration Server 2000)
- Microsoft Small Business Server 2003 Premium
Edition (which includes Microsoft Internet
Security and Acceleration Server 2000)

- Impact: Spoofing
- Version Number: 1.0
 
Checkpoint and Watchguard have had several updates over the years as well
and usually MS fixes are the only ones people seem so upset by anyways. You
reasons are obviously personal. I also love Checkpoint and the Watchguard
boxes and many of the other hardware firewalls but in reality most of them
perform almost identically and most people choose one or the other based on
price/features and not on some personal bias ;) I currently have ISA and
Checkpoint(different networks) in my office and have used several scanners
including Nessus and many others and they both report the same things.
Obviously everyone will have a different opinion on this so I don't want to
squabble and typically personal experience or other factors lead people to
purchase different things but that isn't always based on fact.
 
Here's some. Not as current as the ISA one but certainly more relevant.
Hopefully you get the point ;)

Check Point Patches Severe FireWall-1 Flaws
By Dennis Fisher
February 5, 2004


Check Point Software Technologies Ltd. on Wednesday released a fix for
a set of severe security vulnerabilities in its FireWall-1 product that
enable attackers to execute commands on the vulnerable server. ADVERTISEMENT

The problems are a group of format string flaws that appears when
FireWall-1 attempts to validate HTTP requests, according to analysts at
Internet Security Systems Inc., which discovered the flaws. Error messages
created when an invalid portion of a request is specified allow attackers to
provide their own format string specifiers. This in turn can lead to
corruption of memory and give attackers the ability to run their own code on
the server with super-user privileges.

FireWall-1 is among the more widely deployed enterprise firewalls on
the Internet.

Although ISS officials said exploiting the vulnerabilities is
difficult on some platforms, the company has developed an exploit that works
reliably. And, even failed attacks can interrupt all of the current HTTP
sessions on the FireWall-1 server.

The vulnerability affects FireWall-1 NG with Application Intelligence,
FireWall-1 4.1 and FireWall-1 HTTP Security Server, which is included with
NG FP1, 2 and 3.

ISS also found a vulnerability in an old version of Check Point's
VPN-1 product, which the company no longer supports. Check Point, based in
Ramat Gan, Israel, does not plan to release a patch for this issue.





--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

Scott Harding - MS MVP said:
Checkpoint and Watchguard have had several updates over the years as well
and usually MS fixes are the only ones people seem so upset by anyways. You
reasons are obviously personal. I also love Checkpoint and the Watchguard
boxes and many of the other hardware firewalls but in reality most of them
perform almost identically and most people choose one or the other based on
price/features and not on some personal bias ;) I currently have ISA and
Checkpoint(different networks) in my office and have used several scanners
including Nessus and many others and they both report the same things.
Obviously everyone will have a different opinion on this so I don't want to
squabble and typically personal experience or other factors lead people to
purchase different things but that isn't always based on fact.
 
Scott,

I get the point, the point being that all firewalls have holes in them
that require patching. Here's my point, the firewall appliances by most
vendors do not expose anything nearly as bad as a firewall running on a
system that's used by the office/company/user for anything else. What I
mean by this is that a Server (any platform) that is setup as a
firewall, doing nothing else, and not having any authentication
accounts/methods with the protected network, is going to be more secure
than something running on a server that shares even one authentication
method with the protected network.

So, when it comes to SBS, or any of my MS Servers, and I have a TON of
them, I'm not about to trust the OS vendor to secure something that is
inherently not secure by default, something that is inherently exposed
by default, something that one mistake could leave completely exposed,
and something that has a history of needing monthly patches.

When it comes to security, when I'm permitted to choose the firewall, it
will be a WatchGuard Firebox unit. They have had few security related
updates during the last 4 years and none of the units I've installed
during the last 5 years have failed or permitted a compromise of the
protected networks. Updates and security updates are different beasts,
most updates for the WG appliances have been for enhancing or adding
features and only a couple for holes in the basic features.

When it comes down to it, protecting a medical facility, accounting
firm, non-profit org, multi-branch business or even a home user, I'll
stick with a NON-MS Solution for firewalls until they start shipping
locked down systems as the default. Don't get me wrong, I've been with
MS since before DOS 3, and install lots of MS Server OS's and
workstations, but when it comes to security you're not going to get me
to bet my company reputation on ISA.
 
Back
Top