Basics of VPN
Networking Basics
Define VPN
Future of VPN
VPN technology
VPN Security protocols
Protocols and Solutions
IPSEC and SSL
VPN setup
VPN Remote Access
Site to Site VPN
SSL VPN
PointtoPoint Tunneling Protocol
SSL VoIP VPN
VPN solutions and Vendors
VPN software
Cisco VPN
Business Solutions
VPN costs
VPN solutions UK
Hamachi VPN
VPNin Windows XP
PPP SSH VPN
Open VPN
VPN software and Hardware
VPN ports and configuration
VPN Router
VPN gateway
VPN firewalls
VPN tunnel
Satellite VPN

Free News Letter

Stay updated, sign up for our free newsletter to receive useful tips

Full Name
EmailId

VPN Firewalls- Stopping Crooks

An appropriate firewall strategy is necessary for VPN technology. Firewalls provide the effective security and VPN's provide secure access past the firewall through the internet.
There is risk associated with user authentication and eavesdropping on sensitive data. Firewall configuration VPN; only increases the security and is more secure form of internet communication. There are various types of architecture
Rate this Article
  Excellent

  Good

  Average

  Bad

  Terrible

rate

Current Rating
  • A firewall is between the VPN server and the Internet.
  • The VPN server is connected to the Internet and the firewall is between the VPN server and the intranet.

VPN server behind a firewall

A firewall is between the VPN Server and the internet for this configuration. In the intranet the VPN server is another resource connected to the perimeter network (screened subnet or DMZ-De Militarized Zone). The perimeter network is usually an IP network segment that connects to the Web servers and FTP servers. In addition to PPTP/L2TP/IPSec packet filters on the perimeter interface (described as VPN Server in front of Firewall) is needed. The filtration process is two fold
  • Filters between the intranet computers and VPN server
  • Filters between the internet and VPN server
Firewall filter configuration for Internet Interface
Firewall's Internet Interface configuration giving the IP address and the port needed to be activated for traffic.

Inbound Traffic
PPTP
To allow PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.
  • Destination IP address = Perimeter network interface of VPN server
  • TCP destination port = 1723 (0x6BB)
To allow tunneled PPTP data from the PPTP client to the PPTP server.
  • Destination IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 47 (0x2F)
Site to site VPN connection. VPN server acts as VPN client, Firewall filter is used in conjunction with PPTP filters that are configured on the server.
  • Destination IP address = Perimeter network interface of VPN server
  • TCP source port = 1723 (0x6BB)
L2TP/IPsec
To allow IKE traffic to the VPN server.
  • Destination IP address = Perimeter network interface of VPN server
  • UDP destination port = 500 (0x1F4)
To allow IPSec NAT-T traffic to the VPN server.
  • Destination IP address = Perimeter network interface of VPN server
  • UDP destination port = 4500 (0x1194)
To allow IPSec ESP traffic to the VPN server.
  • Destination IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 50 (0x32)


Out Bound Traffic
PPTP
To allow PPTP tunnel maintenance traffic from the PPTP server to the PPTP client.
  • Source IP address = Perimeter network interface of VPN server
  • TCP source port = 1723 (0x6BB)
To allow tunneled PPTP data from the PPTP server to the PPTP client.
  • Source IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 47 (0x2F)
Site to site VPN connection. VPN server acts as VPN client, Firewall filter is used in conjunction with PPTP filters that are configured on the server.
  • Source IP address = Perimeter network interface of VPN server
  • TCP destination port = 1723 (0x6BB)
L2TP/IPsec
To allow IKE traffic from the VPN server.
  • Source IP address = Perimeter network interface of VPN server
  • UDP source port = 500 (0x1F4)
To allow IPSec NAT-T traffic from the VPN server.
  • Source IP address = Perimeter network interface of VPN server
  • UDP source port = 4500 (0x1194)
To allow IPSec ESP traffic from the VPN server.
  • Source IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 50 (0x32)
Firewall Filter configuration for Perimeter Network Interface
Firewall Filter for Perimeter Network interface giving the IP addresses and ports for traffic

Inbound Traffic
PPTP
To allow PPTP tunnel maintenance traffic from the VPN server to the VPN client.
  • Source IP address = Perimeter network interface of VPN server
  • TCP source port = 1723 (0x6BB)
To allow tunneled PPTP data from the VPN server to the VPN client.
  • Source IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 47 (0x2F)
Site to site VPN connection. VPN server acts as VPN client, Firewall filter is used in conjunction with PPTP filters that are configured on the server.
  • Source IP address = Perimeter network interface of VPN server
  • TCP destination port = 1723 (0x6BB)
L2TP/IPSec
To allow IKE traffic from the VPN server.
  • Source IP address = Perimeter network interface of VPN server
  • UDP source port = 500 (0x1F4)
To allow IPSec NAT-T traffic from the VPN server.
  • Source IP address = Perimeter network interface of VPN server
  • UDP source port = 4500 (0x1194)
To allow IPSec ESP traffic from the VPN server.
  • Source IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 50 (0x32)


Outbound Traffic
PPTP
To allow PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.
  • Destination IP address = Perimeter network interface of VPN server
  • TCP source port = 1723 (0x6BB)
To allow tunneled PPTP data from the PPTP client to the PPTP server.
  • Destination IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 47 (0x2F)
Site to site VPN connection. VPN server acts as VPN client, Firewall filter is used in conjunction with PPTP filters that are configured on the server.
  • Destination IP address = Perimeter network interface of VPN server
  • TCP source port = 1723 (0x6BB)
L2TP/IPSec
To allow IKE traffic to the VPN server.
  • Destination IP address = Perimeter network interface of VPN server
  • UDP destination port = 500 (0x1F4)
To allow IPSec NAT-T traffic to the VPN server.
  • Destination IP address = Perimeter network interface of VPN server
  • UDP destination port = 4500 (0x1194)
To allow IPSec ESP traffic to the VPN server.
  • Destination IP address = Perimeter network interface of VPN server
  • IP Protocol ID = 50 (0x32)


Note: No filters are required for L2TP traffic at UDP port 1701. All L2TP traffic at the firewall, including tunnel maintenance and tunneled data, is encrypted with IPSec ESP.

VPN Server in Front of a Firewall

The VPN server is connected directly to the internet. The firewall exists between the Intranet and the VPN server. Inbound traffic is decrypted and then forwarded to the firewall for filtering. Here firewall filtering is used to restrict VPN users from accessing specific intranet resources and non VPN users can be prevented from accessing these resources. The inbound and outbound packet filters need to be configured to allow only VPN traffic to and from the IP Address of the VPN server's internet interface. You can also place an additional firewall between the VPN server and internet.
Firewall filter configuration for Internet Interface
Firewall's Internet Interface configuration giving the IP address and the port needed to be activated for traffic.

Inbound Traffic
PPTP
To allow PPTP tunnel maintenance to the VPN server.
  • Destination IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • TCP destination port = 1723
To allow tunneled PPTP data to the VPN server.
  • Destination IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • IP Protocol ID = 47
Site to site VPN connection. The VPN server acts as client. TCP traffic is accepted after VPN server initiates connection.
  • Destination IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • TCP (established) source port = 1723
L2TP/IPsec
To allow IKE traffic to the VPN server.
  • Destination IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • UDP destination port = 500
To allow L2TP traffic from the VPN client to the VPN server.
  • Destination IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • UDP destination port = 1701
To allows IPSec NAT-T traffic from the VPN client to the VPN server.
  • Destination IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • UDP destination port = 4500


Out bound
PPTP
To allow PPTP tunnel maintenance traffic from the VPN server.
  • Source IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • TCP source port = 1723
To allow tunneled PPTP data from the VPN server.
  • Source IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • IP Protocol ID = 47
Site to site VPN connection. VPN server acts as VPN client. Send TCP traffic after VPN server initiates TCP connection.
  • Source IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • TCP (established) destination port = 1723
L2TP/IPSec
To allow IKE traffic from the VPN server.
  • Source IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • UDP source port = 500
To allow L2TP traffic from the VPN server to the VPN client.
  • Source IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • UDP source port = 1701
To allow IPSec NAT-T traffic from the VPN server to the VPN client
  • Source IP address = Internet interface of VPN server
  • Subnet mask = 255.255.255.255
  • UDP source port = 4500

Firewall Products

Fire wall hardware of some suppliers are given below with the available port and data transfer rate
  • Cisco- PIX Firewall 501 for PC's (100 Mbps, 4 Ports, Cable Connectivity )
  • Citrix- SonicWALL PRO 100 for PC's (100 Mbps, 3 Ports, Cable Connectivity )
  • WatchGuard Technologies- WatchGuard Firebox 700 for PC's (100 Mbps, 3 Ports, Cable Connectivity)
  • Network Associates - EPL-X250-NA-270I for UNIX based PC's (100 Mbps, 2 Ports, Cable Connectivity)
  • Symantec Norton - Firewall/VPN 100 for PC's (100 Mbps, 4 Ports, Cable Connectivity )
  • Lucent - VPN Firewall Brick 80 for PC's,Mac OS amd UNIX (100 Mbps, 4 Ports, Cable Connectivity)
  • Nokia - IP440 for PC's (100 Mbps, 4 Ports, Cable Connectivity )
  • Nortel - Alteon Switched Firewall 5105 for PC's (4 Ports, Cable Connectivity )
Firewall VPN - Software suppliers and their products are given below. The choice of which depends on your system platform
  • Symantec firewall VPN - Symantec Norton Personal Firewall 2003 - Full Version, PC Version, CD-ROM, For Win 2000 Pro / Win 98/ME / Win XP Pro.
  • Network Associates - McAfee Firewall 4.0 - Full Version, PC version CD-ROM, For Win ME / Win 2000 Pro / Win 98 / Win XP Pro
  • Check Point - FireWall-1 Next Generation Internet Gateway - Full Version, PC, Unix Version, License Qty: 25 nodes, CD-ROM, For Win 2000/NT 4.0 / Solaris / Win 98
  • Lotus -IBM Firewall --License Only Version, PC, Unix Version, Volume License, License Qty: 1 gateway, For Win NT / AIX, Firewalls
  • Computer Associates - ETrust Virus Defense Solution - PC, Unix Version, License Qty: 1 node, For Win 2000/NT 4.0 / Linux / NetWare / Win 98/ME, Firewalls, Antivirus
  • Lucent -SecureConnect - Full Version, PC Version, License Qty: 1 router, CD-ROM, For Win 95/98 / Win NT 4.0 or later, Firewalls
Companies are subscribing to services that require internet access. To control risks and protect both individual computer and corporate networks firewalls as a part of internet security is necessary. These do not provide complete security but offer reasonable protection from unwanted intruders.

Related Articles
VPN Ports: Your Entry and Exit
VPN Router: A wise choice for Enterprises
VPN Gateway: Secure Your Network
VPN Tunneling-Safe Passage for Data

Book mark this page Email this to your friend Add this page to del.icio.us
Suggest an Article

Haven´t found the article you are looking for, please suggest your article. We value all your suggestions and comments.
Home  |    |    |  Privacy Policy  |  Disclaimer  |    |  Copyrights  |  Contact Us
© Copyright 2009 vpntools.com All rights reserved. Read legal policy and privacy policy.