[saml-dev] Dry run network issue with VPN access

Hi folks,

I had a meeting today with my network and security guys setting up the network for our dry run.

I've been told that because we've chosen non-routable IP addresses (192.168.*.*) for the demo systems, we will almost certainly not be able to use IPsec-based VPN's from those systems back to our corporate nets. There are a few exceptions, but I wouldn't count on it working. This is a restriction of IPsec. This should affect both east and west coast dry runs unless Sun has another suggestion for dealing with this.

Note that other types of internet access we discussed will work fine (HTTP, SMTP, etc.). FYI - on an earlier call, folks asked about firewall protection. Our firewalls will protect our demo network systems from internet-based probing, attacks, etc. There won't be any protection between systems on our demo net, of course (so please don't bring any viruses with you ;-)).

Don, I'm curious how the Sun network folks were planning to handle VPN access from the 192.168.16.* network with this restriction. Or had this not yet been discussed?

For the RSA-hosted dry run, I assume that folks want VPN access back to their home nets. To have this, our network folks suggested that folks need to bring along another system for their VPN access. These will be connected to another small network that they'll set up. I suppose this could be accomplished with dual network cards, but I didn't discuss that with them. These systems need a static IP address somewhere in the 204.167.113.* range in order to connect to our net. Since these addresses are routable, they'll support the VPN clients. When not running your VPN client software, we'll have things configured so those systems can still connect to the local demo systems. When the VPN software is running, you won't be able to connect to the local demo systems since most clients block access other than to the VPN target network.

For those that are interested, I've thrown together and attached a general picture (.gif) of the RSA dry run network.

They also asked me to make a modification to the DNS server name and address. In a previous mail, I listed some action items based on the DNS server being at address 192.168.16.200. They'd like me to use 192.168.16.2. As before, this isn't in a particular vendor network address space. We also gave the DNS server the name ns.saml.com.

ACTION ITEM: Don - I now recommend configuring both the Sun and RSA dry run DNS servers with the address 192.168.16.2.

ACTION ITEM: Each vendor should now configure the DNS settings on their hosts to point at 192.168.16.2 and we won't have to reconfigure any systems between the dry run and the conference.

Sorry about the change. If any network guru's have any alternative suggestions, please send them along asap. Our folks are moving ahead with the above configuration work.

Also, please don't forget this action item:

ACTION ITEM: Each vendor needs to provide the mappings of the URL hosts to their addresses. We'll need to load these into the DNS servers for the dry runs. While it's not a big deal to set these up when we get together for the dry runs, it would be easier if folks could send their mappings to the list before the dry runs so we can have the DNS servers ready to go when you arrive.

Thanks!

Rob Philpott

RSA Security Inc.

The Most Trusted Name in e-Security

Tel: 781-515-7115

Mobile: 617-510-0893

Fax: 781-515-7020

mailto:rphilpott@rsasecurity.com

saml-dev message