Re: [fw-wiz] VPN concentrators
From: Daniel Linder (dan_linder@yahoo.com)
Date: 08/28/02
- Next message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Previous message: R. DuFresne: "RE: [fw-wiz] VPN concentrators"
- In reply to: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Daniel Linder <dan_linder@yahoo.com> To: Patrick Darden <darden@armc.org>, scouser@paradise.net.nz Date: Wed Aug 28 08:04:01 2002
On Mon, 26 Aug 2002 scouser@paradise.net.nz wrote:
> Off topic slightly, sorry.
> Current best thinking is to terminate VPN tunnels inside an
> external firewall on a DMZ, then traffic can be passed back
> through this or another firewall before entering the internal
> network.
>
> Complexity can lead to vulnerabilities, so what are peoples
> thoughts on termination of vpn tunnels on the firewall itself?
> What are the pros and cons as you see them?
--- Patrick Darden <darden@armc.org> wrote:
> I don't agree. Putting authenticated and authorized traffic through
a
> firewall is redundant. IPSEC traffic is trusted traffic. A VPN is
an
> extension of your network--it is as trusted as any traffic internal
to
> your network--perhaps more, as it can be completely accounted
> for--remember that every packet has a confirmed sip, dip, and
payload.
>
> Here is the current best thinking, to my knowledge:
[Diagram of a VPN router /parallel/ to a firewall removed. --Dan]
Ok, then I'll add in my two cents to this discussion and disagree with
Mr. Darden. :)
In my network designs, I always try to incorporate a firewall with
three NICs: Outside, Inside, and DMZ. When the VPN concentrator is put
in place, it resides in the DMZ segment. This way I can have at least
two layers ensuring that traffic that originated at a remote location
(i.e. the VPN client computer) will first have to pass through the VPN
concentrator, and then pass through the firewall.
-- If you are on an extremely tight budget *AND* your network load is
light enough *AND* your have complete confidance in the security
awareness of your staff supporting the device, then a single
Firewall/VPN concentrator could be the answer. (Personally, I don't
recommend this to any of my customers unless their budget constraint is
overwhelming and/or they can't/won't add another server to the mix.)
-- If you have a larger budget and a requirement to have multiple
layers of security, then a VPN which resides completely on the DMZ
might be the correct sollution for you.
-- For high-usage VPNs, I would use a quasi-parallel setup. The
outside NIC of the firewall and VPN are in parallel, but the inside
interface of the VPN terminates on the DMZ subnet. This way the
firewall can still restrict traffic bound for the inside network, and
the only real exposure is to the DMZ servers (but this too can be
clamped down with an ACL on the VPN itself).
Dan
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
- Next message: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Previous message: R. DuFresne: "RE: [fw-wiz] VPN concentrators"
- In reply to: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Next in thread: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Reply: Patrick Darden: "Re: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
