Symantec™ Security Gateways Reference Guide - Sawmill

Understanding VPN tunnelsTunnels89Tunnel indexesTunnel communicationThe security gateway uses tunnel indexes, also called security parameter indexes (SPIs), to handle VPNpackets it receives from another security gateway or Symantec Client VPN. The index is a number agreedupon by each encryption device, and is unique for each destination address. The receiving security gatewayuses the index to get the pointer to the packet’s security characteristics. The security characteristicscontain information on how to authenticate, decapsulate, and decrypt the packet.Tunnel packets are handled at the IP layer of the protocol stack. The receiving security gateway uses thetunnel index to remove the encapsulation and encryption from the original packet. With the protectiveouter shell removed, the security gateway then forwards the original packets to their intended destination.Traffic is only encrypted in the tunnel, between the tunnel endpoints. Traffic outside the tunnel is in itsoriginal form with no protection.Note: Incoming tunnel traffic uses the original client IP address by default. Therefore, your internal hostsneed to ensure that they have a valid route back to the client or network. If your internal hosts do not havea valid route back to the client or network, the security gateway must have network address translation(NAT) enabled, and specify that the return packet use the security gateway address.Tunnel securityVPN tunnels pass data through the security gateway without any additional security checks. You canmodify this default behavior so that VPN packets are subject to the same scrutiny as other traffic. You cansubject tunnel traffic to authorization rules, input and output filters, and application proxies.Authorization rules for tunnel trafficUnlike packets handled by Telnet, FTP, and other server applications, VPN packets are not sent up theprotocol stack for processing. Tunnel traffic is not necessarily subject to authorization rules. Connectionsnot subject to authorization rules are not logged. By definition, VPN connections are established betweentrusted end systems. Moreover, all packets exchanged are encapsulated and encrypted between the twosecurity gateways.Limiting tunnel traffic with filtersFilters provide additional security to tunnel traffic by restricting the type of traffic passed through atunnel. For example, it is appropriate for some VPN users to use the protocols FTP, HTTP, and POP3, butnot Telnet. A deny Telnet filter applied to a VPN tunnel can enforce such a policy.For information on configuring filters to restrict traffic passing through a VPN tunnel, see youradministrator’s guide.Passing tunnel traffic to a proxyA check is performed to see if the tunnel traffic should pass through the proxies. If so, the packets are sentup the stack for further processing instead of passing directly through. If there is no proxy requirement,the packets move on to their destination.Proxying tunnel traffic lets the administrator control the type of traffic allowed through a tunnel. Evenbetween trusted systems, you may not want to allow all services. For example, you may want to permit mailand file transfers, only.Using the proxies with VPN traffic lets you:■Restrict source and destination addresses and protocols (as filters do)