RE: [fw-wiz] VPN concentrators

From: Schouten, Diederik (Diederik) (dschout@lucent.com)
Date: 08/26/02 

From: "Schouten, Diederik (Diederik)" <dschout@lucent.com>
To: "'Patrick Darden'" <darden@armc.org>, "Schouten, Diederik (Diederik)" <dschout@lucent.com>
Date: Mon Aug 26 11:13:50 2002

> Depending on your VPN setup it can. Many vpn switches allow
> you to push security configurations upon clients.

Exactly, depending on the ocncentrator.

> > Therefor, unless you can control what traffic goes into the tunnel at
the
> > remote end, you should still firewall the traffic that comes out of the
> > tunnel at your end.
>
> Nope. I agree that the other end should have minimum standards of
> security set up--i.e. antivirus software/signature that is X days old,
> firewall, yadda yadda. However, the more important thing is not what
> goes into the tunnel, but what comes out. If you are the concentrator,
> then you control what comes out without need of an extra firewall. VPN
> switches ARE firewalls.

Then we still agree... if your VPN-Concentrator can enforce your security
Policy, you're not just terminating VPN's, the VPN firewalling is already
done in the concentrator.

> > Depending on the internals of the firewall, I'd say it is just as safe
to
> > terminate the VPN in a DMZ as it is to terminate it in the Firewall.
>
> Agreed. Less useful, but just as safe....

:)

> > Terminating the VPN parrallel to the firewall, completely bypassing your
> > Security Policy is a definite NO.
>
> It doesn't bypass the security policy, it enforces it.

So in lamens terms, it's a Firewall just for VPN-ed traffic.

Therefore the real strength of this setup is more the VPN throughput, and
the fact that the VPN does not cause stress on your normal firewall.

Sure, keep them separated, if them together are just as easy to manage a
single box Firewall/VPN Gateway solution.

Greetings,

        Diederik

Relevant Pages

  • Re: Firewall advice required please
    ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
    (comp.security.firewalls)
  • Re: SBS 2008 - Firewall Appliance?
    ... Cisco ASA 5510 Appliance Content Security Edition Bundle ... 250 IPsec VPN peers, ... But "firewall services" are simply listed as included. ... If you don't need AV or VPN then this is overkill....and I recommend running client AV on a server that can handle monitoring anyways....not using an edge device as the client AV manager...but that's another conversation. ...
    (microsoft.public.windows.server.sbs)
  • RE: Firewall Hardware Recommendations
    ... I am not trying to one-up, but Watchguard Fireboxes Series (FB 500 to FB ... other security products .. ... Subject: Firewall Hardware Recommendations ... A SonicWall PRO 230 + VPN ...
    (Security-Basics)
  • Re: [fw-wiz] OT: vendors please respond
    ... On 26 Sep 2003, admin security Mehta wrote: ... I've seen somewhere north of 65 different commercial firewall products up ... need to start with a security policy and decide which technologies support ... You really want a VPN solution for VPN stuff if you have requirements to ...
    (Firewall-Wizards)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)