1

Let's assume:

  1. I allow all of my VPN users to connect to various internal services (VPN's IP is allow listed)
  2. My VPN will be connected to a 3rd party network via IPSec Site-2-Site Tunnel. The purpose of this tunnel is to allow my users to securely access resources (at least FTP) of a 3rd party.

Question 1: Does this new connection compromise my VPN? Specifically, does it mean that now any client connected on the new end of the tunnel will gain access to my internal services?

Question 2: If yes, are there any generic guardrails I need to implement, or will it depend specifically on the capabilities of my VPN provider?

Edit: in other words, the question is if IPsec tunnel can be unidirectional or is always bidirectional once opened I need to "firewall" it?

user2530062
  • 163
  • 6
  • Way too little information on the various elements of the system and their configuration. Cannot be conclusively answered. – Bruno Rohée Jun 14 '22 at 09:21

1 Answers1

0

It's possible for a client to open a tunnel between its location and the IPSec destination. SSH is a good example. If the client inside the VPN runs this:

ssh -R 8080 user@something-at-ipsec-side

He can use the port 8080 at something-at-ipsec-side as a SOCKS 5 proxy. Anyone with access to something-at-ipsec-side can now connect to any address reachable by the client on the VPN side.

As the SSH tunnel runs encrypted, your firewalls cannot detect it. It runs on the SSH client, so anyone can download Putty for example, and create tunnels. It will need some setup on the remote IPSec site, but it's nothing challenging.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142