RE: [fw-wiz] VPN concentrators
From: scouser@paradise.net.nz
Date: 08/26/02
- Next message: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Previous message: scouser@paradise.net.nz: "Re: [fw-wiz] VPN concentrators"
- In reply to: Ofir Arkin: "RE: [fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Ofir Arkin <ofir@sys-security.com> From: scouser@paradise.net.nz Date: Mon Aug 26 20:00:01 2002
OK some but not all answers
It is for remote users, so it would be Client to Device (initially :P)
So users would be employees. (totally untrsutworthy :P)
Client software would probably depend on Device as a number of beneficial
features can be used if you match the client to the device (personal firewalls,
autmated upgrading of clients etc...)
users would be about 250 initially but up to 4000 potentially in the future.
availability would be an issue but this would be dealt with by the architecture
design and would not be dependant on the solution.
Management I would presume would depend on the device, ie LSMS for a brick etc...
Central managament is an important issue however.
Not sure what you mean by access control? Do you mean to internal resources? If
VPN traffic could be split inot different network pools then internal NIDS, and
ACLs could manage this (along with obvious host/resource access controls)
What are tehses mysterious "IPSEC issues" that we are all aware of ( or perhaps
not in my case) ??
James
Quoting Ofir Arkin <ofir@sys-security.com>:
> All,
>
> No one even looked at a number of other critical questions:
>
> - Is this a Device to Device VPN?
> - Is this a Client to Device VPN?
> - Both?
> - What information needs to go through that VPN?
> - Who uses the VPN? Trusted entity? Your grand mother?
> - What is that trusted entity's security?
> - Can we trust it? (of course not)
> - What is the client software used (shame on you all not mentioning
> that
> :P)
> - IPSEC - there are a number of issues here to remind you all.
> - Management
> - Access Controls
> - Number of users using the VPN
> - Availability issues
> - Etc.
>
> People should look at the bigger picture and not at the box.
> The bigger pictures than will tell us what boxes you can, or cannot
> use.
>
> By the way - a VPN is not a firewall...
> The encrypted traffic hitting the VPN must be validated after
> decryption
> is performed... This is the reason why, sometimes, a VPN+Firewall in
> one
> box (e.g. checkpoint) will be a good solution, or a
> firewall-VPN-firewall "sandwich" will be also used.
>
>
> Just my 2c.
>
> Ofir Arkin [ofir@sys-security.com]
> Founder
> The Sys-Security Group
> http://www.sys-security.com
> PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
>
> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admi n@honor.icsalabs.com] On Behalf Of
> Patrick
> Darden
> Sent: 26 August 2002 15:52
> To: Dave Piscitello
> Cc: scouser@paradise.net.nz; firewall-wizards@honor.icsalabs.com
> Subject: Re: [fw-wiz] VPN concentrators
>
>
> Actually, what you describe is only slightly different from what I
> describe. I can't really think of any differences, except that yours
> may
> cost less but possibly provide less performance....
>
> --
> --Patrick Darden Internetworking Manager
> -- 706.475.3312 darden@armc.org
> -- Athens Regional Medical Center
>
>
> On Mon, 26 Aug 2002, Dave Piscitello wrote:
>
> > Goes to show you that "best thinking" is subjective.
> >
> > Firewall appliances with crypto acceleration for IPsec and an
> optional/DMZ
> > port satisfy most site requirements without all the extra hardware,
> > addressing/subnetting, and routing issues (how you return IPsec
> traffic
> > when you have FW and VPN appliance in parallel isn't a simple
> "default
>
> > gateway is the firewall" config on the internal network). You also
> don't
> > have to manage policy across multiple systems with multiple UIs, and
> you
> > don't have to deal with multiple sources of logging and reporting of
> policy
> > violations.
> >
> > I'm happy with this arrangement.
> >
> > At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:
> > >Here is the current best thinking, to my knowledge:
> > >
> > > ds3 to internet
> > > |
> > > |
> > >---------------
> > >Bastion Router|
> > >---------------
> > > | |
> > > | \
> > >firewall \
> > > | vpn engine
> > > | |
> > >==================
> > >internal network |
> > >==================
> >
> >
> > David M. Piscitello
> > Core Competence, Inc. &
> > 3 Myrtle Bank Lane
> > Hilton Head, SC 29926
> > dave@corecom.com
> > 843.689.5595
> > www.corecom.com
> >
> >
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
>
>
> ____________________________________ ___________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
>
- Next message: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Previous message: scouser@paradise.net.nz: "Re: [fw-wiz] VPN concentrators"
- In reply to: Ofir Arkin: "RE: [fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "RE: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
