We need to submit required health assessments electronically, but our IT administration will not allow us to open the ports required for a broadband connection. So we want to establish an IPsec tunnel

    Requires Free Membership to View

connection between specific internal users and another secure network. All traffic by default will be tunneled through the gateway. The IPsec tunnel does not support NAT-T or UDP encapsulation, and there will be no split-tunneling. A unique source IP address is also required for each user session. Are there any security risks in creating this IPsec tunnel?

Unfortunately, I can't give you the pat "No" answer that you probably want to hear. There is a security risk inherent in creating any type of VPN tunnel. The real question you need to ask is, "What's the best way to achieve the business objectives in a manner consistent with your organization's security policy?" The answer very well could be an IPsec tunnel, but there are concerns with that approach.

First, what is the other "secure network" that you plan to connect your clients to? Is it operated by the state? Setting up a VPN connection from systems on your network to a network outside of your control could expose the organization to significant security risks, especially if you do not use split tunneling, which enables users to access both remote VPN resources as well as those on a local or public network. By forcing all traffic from those systems through the remote network, the administrators of that remote network have the ability to eavesdrop on all communications from the VPN clients, not just those bound for the destination network.

Second, consider the reasoning behind your IT group's reluctance to open firewall ports. Are there security concerns with the application you're using? It's important that you take the time to understand its position and ensure that whatever approach you decide upon meets the security/business balance described earlier.

From the tone of your question, I'm guessing you might have an adversarial relationship with the security folks within your organization. That's unhealthy for both parties. If possible, try to build bridges into the IT group and use those relationships to help develop a compromise that meets everyone's needs. Remember, business and security professionals are all on the same team, trying to achieve the same mission. They do, however, have different perspectives on what's best for the organization. Put yourself in your counterparts' shoes and try to understand that they're attempting to manage the risk to the business.

Finally, does the state offer an alternative approach for uploading your assessments? Nowadays, it's common for most of these applications to use a standard HTTPS interface that runs over port 443. Almost every firewall configuration out there allows internal users to access Internet sites on this port. Finding such an alternative could eliminate your security woes and simplify your environment.


 

This was first published in February 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.