Creating Multiple Encryption Domains

[BarryStiefel]

Creating Multiple Encryption Domains



Security restrictions demand that a VPN doesn't allow access to all hosts on our network. How do we create multiple encryption domains for each VPN partner?

Answer It is not possible to set up multiple encryption domains for the same firewall. Nor is there any real case where this would be necessary. It's the encryption domain which indicates that this firewall should receive encrypted packets for the hosts it protects. As such, your encryption domain is everything behind your firewall.



However, connections to and from sites are still mediated by the rulebase. It is here that zou specify, the access allowed via the tunnel. You can set up your rules so one site has access to one group of hosts and another side has access to a different group of hosts. Each group is then a subset of the encryption domain. The only thing that changes is how you set up your encryption rules.

Consider the following example:

• MySite's encryption domain is 10.0.0.0/24
• SiteA's encryption domain is 172.16.0.0/24
• SiteB's encryption domain is 192.168.0.0/24

Generally, your rulebase would look like this:

Source Destination Service Action MySite-encdomain SiteA-encdomain & SiteB-encdomain Any Encrypt SiteB-encdomain & SiteA-encdomain MySite-encdomain Any Encrypt



Many firewall admins prefer to create groups including either the networks or hosts containing the nodes on each side. This group is set as both the source and destination. However, it requires that the service access is symmetric. A rulebase could look like this:

Source Destination Service Action SiteAallowed-encgroup SiteAallowed-encgroup CIFS, HTTP Encrypt SiteBallowed-encgroup SiteBallowed-encgroup termserv Encrypt



However, if one site should have more access than another, this syntax can't be used. However, it's still a good idea to create groups.

Source Destination Service Action SiteAhostsAllowed extranet-server HTTP Encrypt extranet-server SiteAhostsAllowed CIFS Encrypt

As a side note, Check Point recommends using networks and address ranges whenever possible rather than a lot of hosts etc for performance reasons.

-- RobertGraham - 10 Jan 2004

FAQForm FAQs.Class: EncryptionFAQs FAQs.OS: FAQs.Version:

[kumark]

Hello
We recently upgraded our Product to NGX on Windows 2000 SP4. We have windows 2000 RRAS server on one of the LAN segments to which remote users connect to access the Intranet. Remote users are able to access all LAN segments other than the RRAS Server LAN segment. It used to work when we were running NG but not anymore.
Any help in this regard is greatly appreciated