Re: [fw-wiz] VPN concentrators

From: B. Scott Harroff (Scott.Harroff@att.net)
Date: 08/26/02 

From: "B. Scott Harroff" <Scott.Harroff@att.net>
To: "Patrick Darden" <darden@armc.org>, <scouser@paradise.net.nz>
Date: Mon Aug 26 11:14:06 2002

I agree with you from the trust perspective.

It is nice though to be able to filter/log/monitor undesirable inbound VPN
traffic though; and this would need to be post VPN device most likely by a
firewall of some ttype.

----- Original Message -----
From: "Patrick Darden" <darden@armc.org>
To: <scouser@paradise.net.nz>
Cc: <firewall-wizards@honor.icsalabs.com>
Sent: Monday, August 26, 2002 8:39 AM
Subject: Re: [fw-wiz] VPN concentrators

>
> I don't agree. Putting authenticated and authorized traffic through a
> firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an
> extension of your network--it is as trusted as any traffic internal to
> your network--perhaps more, as it can be completely accounted
> for--remember that every packet has a confirmed sip, dip, and payload.
>
> Here is the current best thinking, to my knowledge:
>
> ds3 to internet
> |
> |
> ---------------
> Bastion Router|
> ---------------
> | |
> | \
> firewall \
> | vpn engine
> | |
> ==================
> internal network |
> ==================
>
>
>
>
> --
> --Patrick Darden Internetworking Manager
> -- 706.475.3312 darden@armc.org
> -- Athens Regional Medical Center
>
>
> On Mon, 26 Aug 2002 scouser@paradise.net.nz wrote:
>
> > Off topic slightly, sorry.
> >
> > Current best thinking is to terminate VPN tunnels inside an external
firewall on
> > a DMZ, then traffic can be passed back through this or another firewall
before
> > entering the internal network.
> >
> > Complexity can lead to vulnerabilities, so what are peoples thoughts on
> > termination of vpn tunnels on the firewall itself? What are the pros
and cons
> > as you see them?
> >
> > thanks in advance
> > James
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: HIPAA and firewalls
    ... something I can install and forget for months on end. ... You can setup a Branch Office VPN tunnel in about 10 minutes if you have ... the firewall to firewall VPN tunnels setup and treat the entire thing as ... Setting up the VPN tunnels between offices is the proper way to do it ...
    (comp.security.firewalls)
  • RE: VPNs - Firewalls and Security
    ... You had configured that vpn users access internal network, ... modify your PIX Config, you have configured "crypto map match ... = redesign my network to either firewall the VPN connections or at a = ...
    (Security-Basics)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: PPTP vpn appears firewalled?!
    ... just that there is no mechanism from turning the firewall off. ... >>VPN seems 'firewalled'. ... > to allow VPN clients access to the internal network automatically. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)