Follow

Restrict VPN Access Using Forward Filter Rules

Bringing VPN users onto your network brings decisions about what network resources and subnets that you will want to share with them. Both IPsec and OpenVPN include methods for sharing exported networks but sometimes you need to be more concerned about restricting resources.

The principle of least privilege is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.

When you export a network in OpenVPN or share a remote network in IPsec you are allowing all VPN users for that application access to the resources on that shared network. However, you may not want each VPN user to have access to every server, service, or resource on that subnet. Here's how you can further restrict your VPN users' access using Forward Filter and Firewall rules.

Forward Filter rules (located at Config > Network > Advanced tab > Filter Rules) apply to, and are useful for, blocking traffic going through the Untangle server. They also apply to bypassed traffic. The Firewall doesn't see bypassed traffic. This means if you want to block anything that's bypassed you should use the Forward Filter Rule. Since IPsec traffic is often bypassed, a forward filter rule would be ideal for restricting access to certain resources to specified IPsec traffic.

For example, If you have an IPsec site-to-site tunnel where endpoint A is sharing the local network of 192.168.102.0/24 and endpoint B is sharing the local network of 10.10.0.0/16. If endpoint A does not want any of endpoint B's users to access a server addressed at 192.168.102.5 you would create the following rule in the Forward Filter rule section:


Clicking the image above will load it, full-size, in a new window. 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk