Re: [fw-wiz] VPN concentrators

From: Patrick Darden (darden@armc.org)
Date: 08/26/02 

From: Patrick Darden <darden@armc.org>
To: Dave Piscitello <dave@corecom.com>
Date: Mon Aug 26 11:13:34 2002

Actually, what you describe is only slightly different from what I
describe. I can't really think of any differences, except that yours may
cost less but possibly provide less performance.... 

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden@armc.org
--                              Athens Regional Medical Center
On Mon, 26 Aug 2002, Dave Piscitello wrote:
> Goes to show you that "best thinking" is subjective.
> 
> Firewall appliances with crypto acceleration for IPsec and an optional/DMZ 
> port satisfy most site requirements without all the extra hardware, 
> addressing/subnetting, and routing issues (how you return IPsec traffic 
> when you have FW and VPN appliance in parallel isn't a simple "default 
> gateway is the firewall" config on the internal network). You also don't 
> have to manage policy across multiple systems with multiple UIs, and you 
> don't have to deal with multiple sources of logging and reporting of policy 
> violations.
> 
> I'm happy with this arrangement.
> 
> At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:
> >Here is the current best thinking, to my knowledge:
> >
> >      ds3 to internet
> >       |
> >       |
> >---------------
> >Bastion Router|
> >---------------
> >    |     |
> >    |      \
> >firewall   \
> >    |       vpn engine
> >    |           |
> >==================
> >internal network |
> >==================
> 
> 
> David M. Piscitello
> Core Competence, Inc. &
> 3 Myrtle Bank Lane
> Hilton Head, SC 29926
> dave@corecom.com
> 843.689.5595
> www.corecom.com
> 
> 
> 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • Re: [fw-wiz] Permissive Firewall Policy
    ... policy, web caching servers, and removed the internet firewall as the ... machines on the internal network attempting to DOS external victims ... Any port can be a "bad" port ...
    (Firewall-Wizards)
  • Re: Inline firewalls vs. Inline firewalls "spaced out"
    ... You internal network should only be able to talk outwards, ... the first design. ... a third firewall has to be compromised. ... > greater security to your web boxes than the first design. ...
    (Security-Basics)
  • RE: Proxy & Firewall Implementation
    ... Put a firewall between your internal network and the DMZ which allows ... DMZ servers to the gills. ...
    (Security-Basics)
  • Re: Firewall Design
    ... > The etherswitch from the router will have the Firewall and my Web ... and the second is connected to another switch on the LAN. ... Your DMZ systems should be publicly accessible, ... filtering in front of your DMZ systems, as well as your internal network. ...
    (comp.security.firewalls)
  • Re: Public Addresses Used Internally
    ... quality of the firewall. ... With public IPs access must only route into internal network ... There is increased cost with holding the public IPs, ...
    (microsoft.public.security)