|
||||||||||
I would not trust anyone. Since you do not soley manage the Netscreen, your best bet is probably to do what Moreno said: "2) use 2 monowall on you side (one behind the other)" This way you have control over what their machines have access to on your network. A bit much possibly in terms of management etc, but safest way when you don't control the other side. Cheers -- Bill Arlofski Reverse Polarity Joe Lagreca wrote: > I thought about that, but its not very secure, because they, as well > as other consultants, have access to the netscreen, and can change > those rules anytime. > > I was thinking the best would be to block their traffic on my side. > That way they couldn't disable the rules to prevent them from > accessing my network segment. > > I guess at this point I will just have to trust them. > > > > On 4/12/06, mtnbkr <waa dash m0n0wall at revpol dot com> wrote: >> Joe Lagreca wrote: >>> Is it possible to create a one way IPsec VPN? >>> >>> For example, I have created a IPsec VPN from my office m0n0wall, to >>> one of my clients Netscreen's. Is there some way I can set it up so >>> that I can access resources on their LAN, but not let them have them >>> have access to my LAN? >>> >>> I have tried creating a few rules to try and prevent them having >>> access, but haven't had any success. >>> >>> Has anyone tried this before? Is this even a possibility? >> Hi Joe. >> >> Yes, and yes. But it depends on Netscreen's capabilities. I do this with >> many of my clients - but all from m0n0wall <-> m0n0wall. >> >> To do this you will need to think in reverse. That is, on the CLIENT's >> Netscreen you will need to set up rule(s) to block all traffic TO your lan. >> >> If that is not possible on the Netscreen, you may consider moving them >> to a m0n0wall. >> >> >> -- >> Bill Arlofski >> Reverse Polarity >> |