Re: [fw-wiz] VPN concentrators

From: Dave Piscitello (dave@corecom.com)
Date: 08/26/02

• Next message: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
• Previous message: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
• In reply to: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
• Next in thread: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
• Reply: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Dave Piscitello <dave@corecom.com>
To: Patrick Darden <darden@armc.org>, scouser@paradise.net.nz
Date: Mon Aug 26 10:34:18 2002

Goes to show you that "best thinking" is subjective.

Firewall appliances with crypto acceleration for IPsec and an optional/DMZ
port satisfy most site requirements without all the extra hardware,
addressing/subnetting, and routing issues (how you return IPsec traffic
when you have FW and VPN appliance in parallel isn't a simple "default
gateway is the firewall" config on the internal network). You also don't
have to manage policy across multiple systems with multiple UIs, and you
don't have to deal with multiple sources of logging and reporting of policy
violations.

I'm happy with this arrangement.

At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:
>Here is the current best thinking, to my knowledge:
>
> ds3 to internet
> |
> |
>---------------
>Bastion Router|
>---------------
> | |
> | \
>firewall \
> | vpn engine
> | |
>==================
>internal network |
>==================

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com

• Next message: Dave Piscitello: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
• Previous message: Paul D. Robertson: "Re: RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
• In reply to: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
• Next in thread: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
• Reply: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: If you hack a server joined to domain, how much info can you get ? ... way trust to the internal network where the internal network is the trusted ... user there domain administrator credentials on any domain ... Consider using ipsec in your domain. ... server could have a require ipsec policy ... (microsoft.public.security) Re: How to allow an ipsec tunnel endpoint to communicate with an internal IP on the other side? ... The internal network on one ... What's a VPN? ... The KAME port's IPSec? ... the VPN, on the public interface. ... (comp.os.linux.security) Re: [PATCH 0/2]: Remote softirq invocation infrastructure. ... also for things like IPSEC where the per-packet cpu usage ... split up the work to multiple cpus within the same flow. ... Unfortunately doing this with IPsec is going to be non-trivial ... since we still want to maintain packet ordering inside IPsec ... (Linux-Kernel) Re: Cant join domain through firewall with IPSec Policy on client and DC ... My IPSec policy on the DC requires security to all machines except those ... from the client using UNC names. ... >> internal network with IPSec enabled or disabled. ... (microsoft.public.windows.server.security) Re: Possible inside security breach ... default, add 10 workstations to the domain, I doubt IPSec was being used. ... >> network is all that's needed and a VPN connection gave him that. ... > internal network is secured via IPSec using Kerberos or Certificate ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint