RE: [fw-wiz] VPN concentrators

From: Nilesh Chaudhari (nileshch@yahoo.com)
Date: 08/29/02 

From: Nilesh Chaudhari <nileshch@yahoo.com>
To: firewall-wizards@honor.icsalabs.com
Date: Thu Aug 29 16:25:01 2002

Of all the responses that I have seen in the preceding messages, I did
not find a simple solution shown by anybody. Let me show you what I
have done for VPN at my gateway -

                    DMZ
                     |
                     +--(ids)
                     |
inet=====rtr---+--firewall---internal
        [+vpn] |
               |
             (ids)

=== Encrypted traffic
--- Unencrypted traffic

i do not claim this to be the simplest/most secure of all solutions,
but it is pretty easy & reasonably secure allowing flexible policy
enforcement.

Nilesh Chaudhari.

 --- Patrick Darden <darden@armc.org> wrote: >
> 7. Adding an additional rtr doesn't really do anything security-wise
> 8. throwing the vpn between 2 firewalls is illustrated in #1.
> Throwing
> in an additional router doesn't do anything security-wise.
>
> --
> --Patrick Darden Internetworking Manager
> -- 706.475.3312 darden@armc.org
> -- Athens Regional Medical Center
>
>
> On Thu, 29 Aug 2002, Crispin Harris wrote:
>
> > 7. inet--rtr---vpn---intfw--rtr(internal)
> > `-extfw-'
> > 8. inet--rtr--extfw-+---intfw--rtr(internal)
> > `-vpn-' (on third interface of internal
> firewall[1])
> >
> > Bear in mind that this up's both the budget and the complexity
> somewhat. To
> > further 'up the ante', one firewall should be SPF (stateful packet
> filter,
> > or equivalent) and the other ALG (Application Layer Gateway, layer
> 4
> > proxies)[2].
> >
> > I have had a number of clients for whom this style of architecture
> was the
> > only appropriate[4] design.
> >
> > Regards,
> > Crispin Harris
> >
> > BTW: I tend to believe that 3 interfaces (out, in, side) is as few
> as a
> > corporate internet gateway can include, and I have had
> installations with as
> > many as 9 on two layers (out, in, between, web, partner,
> transaction,
> > vpn/remote_users, dns/mail, application).
> >
> > [1] This is building on the concept of Separation of Security
> Zones[3]. The
> > interface on which the VPN concentrator is terminated is also home
> to any
> > corporate dial-in pool, or Telco "Private IP networking" services.
> > [2] Most environments which require this sort of setup would also
> require
> > EAL4 (or equivalent) accreditations on the firewall devices.
> > [3] Mind blank on the correct term, been a while, but any good book
> on
> > traditional security architectures should be able to explain it.
> > [4] Read "Compliant".
> >
> > -----Original Message-----
> > From: Patrick Darden [mailto:darden@armc.org]
> > Sent: Wednesday, August 28, 2002 10:33 PM
> > To: Daniel Linder
> > Cc: scouser@paradise.net.nz; firewall-wizards@honor.icsalabs.com
> > Subject: Re: [fw-wiz] VPN concentrators
> >
> >
> >
> > If you add up all the 2 cent disagreements with what I have stated,
> you
> > get a good buck fifty! Some of it was from people who
> misunderstood what
> > was stated, but a good bit of it was made by people who understand
> the
> > issues, and simply disagree--sometimes for obvious reasons.
> >
> > I think we can sum it up though (concentrating on vpn positioning):
> >
> > 1. inet--rtr--firewall--vpn--firewall--internal some recommend
> > 2. inet--rtr--vpn--internal only I recommend?
> > 3. inet--rtr--vpn--firewall--internal many recommend
> > 4. inet--rtr--firewall--vpn--dmz some recommend
> > 5. inet--rtr--vpn--vmz only I recommend?
> > --vpn--vmz trust zones
> > --vpn--internal
> > --vpn--internal
> > 6.
> inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet
> > paranoid's dream
> >
> >
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

________________________________________________________________________
Want to sell your car? advertise on Yahoo Autos Classifieds. It's Free!!
       visit http://in.autos.yahoo.com

Relevant Pages

  • Re: weird gateway to gateway vpn issue
    ... but then the vpn ... web sites from site B I have to disconnect the gateway to gateway ... has a domain controller that connects over the internet through ... to the internet through their local ISA server at any one time. ...
    (microsoft.public.isa.vpn)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... and VPN client. ... >performing the gateway, routing and NATting. ... >> that do not have IPsec passthrough because the IP ... >> while tunnel mode protects the IP layer as well. ...
    (microsoft.public.win2000.security)
  • Re: Coexistence and routing of two internet feeds
    ... this is a routing problem that RRAS should be able to ... will just use one gateway, and only switch if that goes down. ... for a VPN link because you know exactly what traffic needs to go over the ... > routing table point all internet traffic to the VSAT and VPN goes to DSL. ...
    (microsoft.public.win2000.ras_routing)
  • Re: Windows 2000 Pro as Gateway
    ... Well I turned out tne Routing and Remote Access service and did a registry hack I found at Http://howtonetworking.com. ... Now the other computers can browse the internet using the gateway PC, but they still cannot use the VPN connection on the gateway. ...
    (microsoft.public.win2000.ras_routing)
  • Re: Default Gateway on VPN subnets
    ... Now I understand that you are using the TZ170 VPN routers to establish the ... Once the default gateway of the remote 2003 server was automatically ... to access the internet or the SBS network? ...
    (microsoft.public.windows.server.sbs)