-----Original
Message-----
From: Philpott, Robert
Sent: Wednesday, June 05, 2002
8:20 PM
To: Pyne, Stephen; Romanowski, Jan
Cc: Zolfonoon, Riaz; Berger,
Jeffrey; Corman, Andy; Friedman, Larry; Kamionek, Ted; Rice, Shane;
News-Groups.SAML (News-Groups.SAML@exna00.securitydynamics.com); Warren, David;
Huber, William; Philpott, Robert
Subject: FW: [saml-dev] Dry run
network issue with VPN access - note updated action items
-----Original Message-----
From: Philpott, Robert
Sent: Wednesday, June 05, 2002
7:51 PM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Dry run
network issue with VPN access - note updated action items
Hi folks,
I had a meeting today with my
network and security guys setting up the network for our dry run.
I've been told that because we've chosen
non-routable IP addresses (192.168.*.*) for the demo systems, we will almost
certainly not be able to use IPsec-based VPN's from those systems back to our
corporate nets. There are a few exceptions, but I wouldn't count on it
working. This is a restriction of IPsec. This should affect both
east and west coast dry runs unless Sun has another suggestion for dealing with
this.
Note that other types of internet
access we discussed will work fine (HTTP, SMTP, etc.). FYI - on an
earlier call, folks asked about firewall protection. Our firewalls will
protect our demo network systems from internet-based probing, attacks, etc.
There won't be any protection between systems on our demo net, of course
(so please don't bring any viruses with you ;-)).
Don, I'm
curious how the Sun network folks were planning to handle VPN access from the
192.168.16.* network with this restriction. Or had this not yet been
discussed?
For the RSA-hosted dry run, I assume
that folks want VPN access back to their home nets. To have this, our
network folks suggested that folks need to
bring along another system for their VPN access. These will be connected
to another small network that they'll set up. I suppose this
could be accomplished with dual network cards, but I didn't discuss that with
them. These systems need a static IP address somewhere in the
204.167.113.* range in order to connect to our net. Since these addresses are
routable, they'll support the VPN clients. When not running your VPN client
software, we'll have things configured so those systems can still connect to
the local demo systems. When the VPN software is running, you won't be able to
connect to the local demo systems since most clients block access other than to
the VPN target network.
For those that are interested, I've
thrown together and attached a general picture (.gif) of the RSA dry run
network.
They also asked me to make a
modification to the DNS server name and address. In a previous mail, I
listed some action items based on the DNS server being at address
192.168.16.200. They'd like me to use 192.168.16.2. As before, this
isn't in a particular vendor network address space. We also gave the DNS
server the name ns.saml.com.
ACTION
ITEM: Don - I now recommend configuring both the
Sun and RSA dry run DNS servers with the
address 192.168.16.2.
ACTION
ITEM: Each
vendor should now configure the DNS settings on their hosts
to point at 192.168.16.2 and we won't
have to reconfigure any
systems between the dry run and
the conference.
Sorry about the change. If any
network guru's have any alternative suggestions, please send them along
asap. Our folks are moving ahead with the above configuration work.
Also, please don't forget this
action item:
ACTION ITEM: Each
vendor needs to provide
the mappings of the URL hosts to their addresses. We'll
need to load these into the DNS servers for the
dry runs. While it's not a big deal to set these up when we get together for the dry runs, it would be
easier if folks could send their mappings to the list before the dry runs so we
can have the DNS
servers ready to go when you arrive.
Thanks!
Rob Philpott
RSA Security Inc.
The Most Trusted Name in e-Security
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
mailto:rphilpott@rsasecurity.com