> I have a question about SKIP that I hope someone can help me with. We are
> testing a set-up that will allow employees to access our internal network
> from home and also allow us to connect to partners' sites using SKIP. The
> two set-ups are shown below:
>
> Employee access Partner site access
> ----------------- ---------------------
>
> home-pc partner network
> | |
> | |
> | |
> | |
> SKIP firewall SKIP firewall
> | |
> | |
> | |
> | |
> internal host(s) SKIP firewall
> |
> |
> |
> |
> internal host(s)
>
>
>
> Access between both the home-pc and SKIP firewall/gateway and between the
> two SKIP firewall/gateways is across the local cable companies network
> (ie - Internet/untrusted network). The product(s) that we are testing is
> Sun's SKIP and their EFS software that runs on the SKIP firewall. We have
> also done the same test using just SKIP - without the EFS. Connecting to an
> internal host from the PC (using SKIP for Win95) was working until the
> cable company reconfigured their routers. We are using an "unregistered"
> network address on our internal network and it turns out that packets being
> sent back to the PC have a source address of the internal machine.
SunScreen EFS supports NAT. Can you NAT the internal hosts that have
unregistrered IP addresses?
> The
> routers are configured to drop any packets that *don't* have a source
> address of the our DMZ. Sooo, my question is does any one know how to
> configure SKIP (or EFS) so that the packets going back to the PC through
> the SKIP firewall have the source address re-written with the address of
> the external interface of that machine.
I would try NAT first. You could also use tunnel mode for both Win 95 SKIP and
SUnScreen EFS. (Note: tunneling for WIN95 is available on latest release
12/27/97).
> We did get this to work using EFS,
> but the PC doesn't seem to want to look inside that packet to find the
> *real* IP packet. Is there something that we need to configure on the PC to
> see the encrypted packet? Or is there something else missing in the config
> of the SKIP firewall? Also, is the set-up we are trying to achieve with our
> business partners possible just using SKIP? Its probably possible with SKIP
> and EFS, but we don't want to have all our partners go out and by a new
> Sparc and SKIP/EFS. We are hoping we can use Solaris x86 and SKIP for the
> SKIP firewalls/gateways.
With the tunneling feature os SKIP now in Win95 product you shoul have no
problem. But, again, I think NAT should solve your problem.
>
> The home-pc has been configured to use encryption between itself and the
> external interface of the SKIP gateway and also between itself and the
> internal network using the SKIP gateway as the "tunnel".
>
> The SKIP firewall/gateway is a Sparc Ultra running both SKIP and EFS. We
> are also testing using another gateway running Solaris x86 with just
> SKIP. Both are running Solaris 2.5.1.
>
> The local Sun SE's have not been able to resolve the question yet. They
> also tell me that SKIP encrypts the entire IP packet and puts it into
> another packet (as the data portion) regardless of whether the packet is
> going through a tunnel or not. Is this true?
>
yes that is true. With SKIP, the entire original IP packet is encrypted and
then a new IP header is prepended. The default is to use the same src and dest
IP addresses as the original. With tunneling, we use different src and dest IP
addresses as defined by the tunnel.
Thanks,
Gary
=========================================================================
/\ Gary R. Wolfe
\\ \ Network Security Specialist
\ \\ / Sun Microsystems
/ \/ / / Internet Commerce and Security
/ / \//\
\//\ / /
/ / /\ / http://www.sun.com/security
/ \\ \ Cell Phone: (719) 331-7912
\ \\ Fax: (719) 481-1273
\/ E-mail: gary .
wolfe @
sun .
com
=========================================================================
Follow-Ups:
References:
|
|
