"Hostile" network in the company - please comment on a security setup

security network-design

Solution 1:

This is a situation I've run into often, and I pretty much always do the same thing: IPSec.

Whether it works for you is dependent on whether there's an IPv4 overlap between their network and yours, which you don't say. But I know you have clue, and if there was this additional hurdle I think you'd've mentioned it, so let's assume for now that there isn't any overlap.

Set up an IPSec tunnel between their core router and yours, using PSK authentication. Most good routers will speak it, and it's not hard to do. Once you have a tunnel in place, you can trust the identity of any packets that come down it (note: I'm not saying you can trust the content of the packets, only that you can be sure they really do come from Potentially-Hostile Partner).

So then you can apply access filters to traffic coming out the tunnel, and precisely restrict what hosts on your network they have the capability to access, and on what ports, and from which machine(s) at their end (though that latter restriction is less useful as you have no control over whether devices on their network are maliciously changing ther IP addresses to elevate their access rights to your end).

Linking the networks, rather than having any random trusted client at their end use an individual VPN client, works better in my experience, not least because you'll either end up with a full-time job managing client access tokens - issuing new ones, revoking old ones, grumbling about people copying them or dealing with the fallout of mandating that any token can only be used once - or you'll issue one token that everyone will use, and you'll have lost any control over who's using it and where they're using it from. It also means that the complexity is in the core, where it's best managed.

I've had some such tunnels, between my networks and those of the PHPs, running for a decade, and they just Do Their Thing. From time to time someone needs a new machine on their end able to access some new dev box or other resource on our end, and it's a simple change to an interface access list, a one-line fix to my own kit that I can do in seconds, and everything is working. No client installs. No endpoint complications at all.

I find the v6 idea fascinating, but I suspect that it'll run onto the rocks when some v4-only client, or something riddled with v6 bugs because it's so untested, comes along and really-really-really-pretty-please needs access to your network resources.

Related

Why is the "don't fragment" flag set in https and ssh protocols?
AWS AMI Add "create volume" permissions to the following associated snapshots when creating permissions
Is RDS really *the* one stop shop solution? [closed]
Will I lose my .fr second-level domain once I am no longer a resident of Europe?
How can I use PowerShell to enable NTFS compression, in place, on log files older than x days?
Enable Discards HP 3PAR StoreServ 7400
How to programatically add secure_path in sudoers file
Windows secure file copy between servers
How to determine cause of system crash?
How can I find what options an rpm was compiled with
Checklist for changing the hostname of a server [closed]
How to find out the source of a POSIX signal