Re: [fw-wiz] VPN concentrators

From: Patrick Darden (darden@armc.org)
Date: 08/26/02 

From: Patrick Darden <darden@armc.org>
To: scouser@paradise.net.nz
Date: Mon Aug 26 08:53:01 2002

I don't agree. Putting authenticated and authorized traffic through a
firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an
extension of your network--it is as trusted as any traffic internal to
your network--perhaps more, as it can be completely accounted
for--remember that every packet has a confirmed sip, dip, and payload.

Here is the current best thinking, to my knowledge:

     ds3 to internet
      |
      |
---------------
Bastion Router|
---------------
   | |
   | \
firewall \
   | vpn engine
   | |
==================
internal network |
================== 

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden@armc.org
--                              Athens Regional Medical Center
On Mon, 26 Aug 2002 scouser@paradise.net.nz wrote:
> Off topic slightly, sorry.
> 
> Current best thinking is to terminate VPN tunnels inside an external firewall on
> a DMZ, then traffic can be passed back through this or another firewall before
> entering the internal network.
> 
> Complexity can lead to vulnerabilities, so what are peoples thoughts on
> termination of vpn tunnels on the firewall itself? What are the  pros and cons
> as  you see them?
> 
> thanks in advance 
> James
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • Re: HIPAA and firewalls
    ... something I can install and forget for months on end. ... You can setup a Branch Office VPN tunnel in about 10 minutes if you have ... the firewall to firewall VPN tunnels setup and treat the entire thing as ... Setting up the VPN tunnels between offices is the proper way to do it ...
    (comp.security.firewalls)
  • RE: VPNs - Firewalls and Security
    ... You had configured that vpn users access internal network, ... modify your PIX Config, you have configured "crypto map match ... = redesign my network to either firewall the VPN connections or at a = ...
    (Security-Basics)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: PPTP vpn appears firewalled?!
    ... just that there is no mechanism from turning the firewall off. ... >>VPN seems 'firewalled'. ... > to allow VPN clients access to the internal network automatically. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)