RE: [fw-wiz] VPN concentrators
From: Schouten, Diederik (Diederik) (dschout@lucent.com)
Date: 08/26/02
- Next message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Previous message: m p: "Re: [fw-wiz] VPN concentrators"
- Maybe in reply to: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Schouten, Diederik (Diederik)" <dschout@lucent.com> To: "'Patrick Darden'" <darden@armc.org>, scouser@paradise.net.nz Date: Mon Aug 26 10:35:07 2002
Sorry, I do not agree with this.
IPSec traffic is indeed coming from an autheticated/authorized peer, but
that does not mean that both ends of the tunnel have similar security
policies.
VPN's can be setup between comapanies, home users, remote locations from the
same company etc.
Therefor, unless you can control what traffic goes into the tunnel at the
remote end, you should still firewall the traffic that comes out of the
tunnel at your end.
Else, a security mistake (breach) made by company X will therefore cause the
same mistake (breach) at company Y.
You can trust a trustee with the security of his own network, but never
trust him to secure your network.
Depending on the internals of the firewall, I'd say it is just as safe to
terminate the VPN in a DMZ as it is to terminate it in the Firewall.
Terminating the VPN parrallel to the firewall, completely bypassing your
Security Policy is a definite NO.
Just my 2cts,
Diederik
> I don't agree. Putting authenticated and authorized traffic through a
> firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an
> extension of your network--it is as trusted as any traffic internal to
> your network--perhaps more, as it can be completely accounted
> for--remember that every packet has a confirmed sip, dip, and payload.
>
> Here is the current best thinking, to my knowledge:
>
> ds3 to internet
> |
> |
> ---------------
> Bastion Router|
> ---------------
> | |
> | \
> firewall \
> | vpn engine
> | |
> ==================
> internal network |
> ==================
>
>
>
>
> --
> --Patrick Darden Internetworking Manager
> -- 706.475.3312 darden@armc.org
> -- Athens Regional Medical Center
>
>
> On Mon, 26 Aug 2002 scouser@paradise.net.nz wrote:
>
> > Off topic slightly, sorry.
> >
> > Current best thinking is to terminate VPN tunnels inside an
> external firewall on
> > a DMZ, then traffic can be passed back through this or
> another firewall before
> > entering the internal network.
> >
> > Complexity can lead to vulnerabilities, so what are peoples
> thoughts on
> > termination of vpn tunnels on the firewall itself? What are
> the pros and cons
> > as you see them?
> >
> > thanks in advance
> > James
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
- Next message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Previous message: m p: "Re: [fw-wiz] VPN concentrators"
- Maybe in reply to: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
