Posted by: Troy Tate
administration, awareness, blog, CIO, Data security, DataCenter, DataManagement, design, Firewalls, Networking, Policy, policy enforcement, risk, Security, WAN
You may have seen in one of my past blog posts that we relocated a site over a weekend. As a result of that move we are continuing to clean-up various network access issues for services that existed in the old facility but are not available at the new facility.
In the old facility some of the users were required to use a kiosk or standalone computer to access customer extranets using VPN. We wanted to make this easier in the new facility and get rid of the standalone computers and internet connections. As we approach each instance of VPN access, we have to ask the standard questions of what is the destination IP address and what ports need to be opened on the firewall for this service. I recently came across a customer technology staff member at another organization who was responsible for the remote access service but could not answer these standard application questions. The answer I was given was just open any-to-any ports for their destination IP (at least he knew their IP address for this service). I don’t think this was a junior staff member either answering the question. This is the person responsible for interfacing with suppliers!
Well, after walking around and burning off some frustration, I took some steps to try to identify how the application works and make firewall changes according to what I discovered. Working with my managed security partner I went through the following steps:
1. Configure a private client machine and designate as single source of traffic.
2. Define firewall rule to permit any traffic from this client to the destination IP.
3. Run VPN application and capture details about TCP/UDP ports during the conversation.
4. Close the any-to-any rule and open ports discovered in step #3.
Well, things did work pretty well but apparently there are some other ports needed to be opened, so once again I am asking this customer to help us as their supplier to gain access to their network. We will see if I have to get someone else involved in his organization even though I was told he manages this by himself.
hmmmm… so have you ever had to train someone at another organization that you deal with how to do their job?