We need to submit required health assessments electronically, but our IT administration will not allow us to open the ports required for a broadband connection. So we want to establish an IPsec tunnel
connection between specific internal users and another secure network. All traffic by default will be tunneled through the gateway. The IPsec tunnel does not support NAT-T or UDP encapsulation, and there will be no split-tunneling. A unique source IP address is also required for each user session. Are there any security risks in creating this IPsec tunnel?
Unfortunately, I can't give you the pat "No" answer that you probably want to hear. There is a security risk inherent in creating any type of VPN tunnel. The real question you need to ask is, "What's the best way to achieve the business objectives in a manner consistent with your organization's security policy?" The answer very well could be an IPsec tunnel, but there are concerns with that approach.
First, what is the other "secure network" that you plan to connect your clients to? Is it operated by the state? Setting up a VPN connection from systems on your network to a network outside of your control could expose the organization to significant security risks, especially if you do not use split tunneling, which enables users to access both remote VPN resources as well as those on a local or public network. By forcing all traffic from those systems through the remote network, the administrators of that remote network have the ability to eavesdrop on all communications from the VPN clients, not just those bound for the destination network.
Second, consider the reasoning behind your IT group's reluctance to open firewall ports. Are there security concerns with the application you're using? It's important that you take the time to understand its position and ensure that whatever approach you decide upon meets the security/business balance described earlier.
From the tone of your question, I'm guessing you might have an adversarial relationship with the security folks within your organization. That's unhealthy for both parties. If possible, try to build bridges into the IT group and use those relationships to help develop a compromise that meets everyone's needs. Remember, business and security professionals are all on the same team, trying to achieve the same mission. They do, however, have different perspectives on what's best for the organization. Put yourself in your counterparts' shoes and try to understand that they're attempting to manage the risk to the business.
Finally, does the state offer an alternative approach for uploading your assessments? Nowadays, it's common for most of these applications to use a standard HTTPS interface that runs over port 443. Almost every firewall configuration out there allows internal users to access Internet sites on this port. Finding such an alternative could eliminate your security woes and simplify your environment.
This was first published in February 2009