RE: [fw-wiz] VPN concentrators

From: Schouten, Diederik (Diederik) (dschout@lucent.com)
Date: 08/30/02

• Next message: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
• Previous message: Nilesh Chaudhari: "RE: [fw-wiz] VPN concentrators"
• Maybe in reply to: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
• Next in thread: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Schouten, Diederik (Diederik)" <dschout@lucent.com>
To: "'Nilesh Chaudhari'" <nileshch@yahoo.com>, firewall-wizards@honor.icsalabs.com
Date: Fri Aug 30 09:58:01 2002

> DMZ
> |
> +--(ids)
> |
> inet=====rtr---+--firewall---internal
> [+vpn] |
> |
> (ids)

 
Just a comment, you probably thought if it anyway.

A spoofing check on the router is now quite important.
Else someone could force packets from the internet into your VPN, depending
on a bridging or routerd setup, just bounce the packets of the firewall, or
directly within the router.

Also, ok, worse case scenario, but still required to think about... if your
VPN service on the router fails, will the rtr keep passing the traffic from
your internal LAN to the remote location?
So that your normally "secure" traffic goes in the open?
Or will it block the traffic that normally should have goen into the VPN?

When using private addresses this might not look like a problem, depending
where the traffic get's dropped.

How many interfaces does you firewall have?
Can't you terminate the VPN through the firewall on a different leg?
Ok, it would require another device, but seems better controllable.

> DMZ
> |
> +--(ids)
> |
> inet=====rtr---+--firewall---internal
> | |
> | |
> (ids) VPN

Since you probably want a cost saving solution (since you technically
terminate your VPN in a unsecure location), I would prefer a [firewall+VPN]
device though.

Greetings,

        Diederik

• Next message: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
• Previous message: Nilesh Chaudhari: "RE: [fw-wiz] VPN concentrators"
• Maybe in reply to: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
• Next in thread: Schouten, Diederik (Diederik): "RE: [fw-wiz] VPN concentrators"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: VPN Router Setup Question ... > The term "configuring a pinhole" with a Netopia router looks like it's the ... > Then go into your router and "configure a pinhole" to forward all VPN ... >> having your server 'directly' connected to the internet. ... (microsoft.public.windows.server.sbs) Re: Setting up Windows VPN ... if it works, focus on the router. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... > Thanks if anyone can help me to set up a home VPN network trough Internet ... The desktop is connected to LAN port, ... (microsoft.public.isa.vpn) Re: Remote SiteB to VPN over internet to SiteA AND Browse internet ... You use the DSL router as the gateway for the local LAN and redirect ... forward the VPN traffic from the router to the RRAS server. ... system using virtual machines which only rarely needs Internet access. ... (microsoft.public.windows.server.networking) Re: VPN Router ... to some router or other device at the Direcway NOC (Network Operations ... Internet Connection Sharing and a 2nd NIC ... the VPN over the satellite is going to be problematic at best. ... RRAS and just dial in when you need to administer the server. ... (microsoft.public.windows.server.sbs) RE: NSLOOKUP: Office Conx OK Home Conx Not ... When a client PC is physically removed from the domain it cannot access the ... Internet unless the VPN software is running. ... IPOCONFIG shows a local ip address (from a home router). ... (microsoft.public.windows.server.dns)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint