RE: [fw-wiz] VPN concentrators

From: Crispin Harris (Harris_C@DeMorgan.com.au)
Date: 08/29/02 

From: Crispin Harris <Harris_C@DeMorgan.com.au>
To: "'Patrick Darden'" <darden@armc.org>, Daniel Linder <dan_linder@yahoo.com>
Date: Thu Aug 29 06:59:01 2002

7. inet--rtr---vpn---intfw--rtr(internal)
             `-extfw-'
8. inet--rtr--extfw-+---intfw--rtr(internal)
                     `-vpn-' (on third interface of internal firewall[1])

Bear in mind that this up's both the budget and the complexity somewhat. To
further 'up the ante', one firewall should be SPF (stateful packet filter,
or equivalent) and the other ALG (Application Layer Gateway, layer 4
proxies)[2].

I have had a number of clients for whom this style of architecture was the
only appropriate[4] design.

Regards,
        Crispin Harris

BTW: I tend to believe that 3 interfaces (out, in, side) is as few as a
corporate internet gateway can include, and I have had installations with as
many as 9 on two layers (out, in, between, web, partner, transaction,
vpn/remote_users, dns/mail, application).

[1] This is building on the concept of Separation of Security Zones[3]. The
interface on which the VPN concentrator is terminated is also home to any
corporate dial-in pool, or Telco "Private IP networking" services.
[2] Most environments which require this sort of setup would also require
EAL4 (or equivalent) accreditations on the firewall devices.
[3] Mind blank on the correct term, been a while, but any good book on
traditional security architectures should be able to explain it.
[4] Read "Compliant".

-----Original Message-----
From: Patrick Darden [mailto:darden@armc.org]
Sent: Wednesday, August 28, 2002 10:33 PM
To: Daniel Linder
Cc: scouser@paradise.net.nz; firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] VPN concentrators

If you add up all the 2 cent disagreements with what I have stated, you
get a good buck fifty! Some of it was from people who misunderstood what
was stated, but a good bit of it was made by people who understand the
issues, and simply disagree--sometimes for obvious reasons.

I think we can sum it up though (concentrating on vpn positioning):

1. inet--rtr--firewall--vpn--firewall--internal some recommend
2. inet--rtr--vpn--internal only I recommend?
3. inet--rtr--vpn--firewall--internal many recommend
4. inet--rtr--firewall--vpn--dmz some recommend
5. inet--rtr--vpn--vmz only I recommend?
             --vpn--vmz trust zones
             --vpn--internal
             --vpn--internal
6. inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet
                                                        paranoid's dream

----------------------------------------------------

 This correspondence is for the named person's use only. It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission. If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender. You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------

Relevant Pages

  • RE: TCP Syn Flooding
    ... Your firewall has picked it up and stopped any problems. ... This correspondence is for the named person's use only. ... notify the sender. ... to internet/internal network security. ...
    (Security-Basics)
  • RE: Suggestions Needed
    ... It really is a matter of personal preference- if you already have other *nix ... This correspondence is for the named person's use only. ... notify the sender. ... as a firewall machine for our local lan of 2 workstations w/cable modem. ...
    (Security-Basics)
  • Re: Hey
    ... Kinda hard to explain everything that's happened these last 6 months, but I Googled & saw some thoughtful posts showing continued concern and am sorry I haven't returned or responded sooner. ... I'm surprised & somewhat embarrassed that this group got so exposed and sucked into my pesonal melodrama, but I'll never be able to adequately express how much I appreciate all the kindness & support many gave and how profound an effect I believe it had on my surviving. ... Honestly, you've been on my mind too, and I've been rooting for you in your recovery. ... I'll be looking forward to our correspondence... ...
    (rec.autos.sport.nascar)
  • Re: Search for Backdoor
    ... > I am protected with a firewall and monitor for intrusion, ... > got it in his mind that there _may_ be some kind of backdoor software ... There is nothing in the logs showing any suspicious ... > Can I by logging all outgoing network activity or some other way ...
    (microsoft.public.win2000.security)
  • Re: fireflier firewall userspace program doing userspace packet filtering
    ... And bear in mind any user can set the name (I assume you mean the argv ... I've seen no evidence that any existing firewall software has got this ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)