RE: [fw-wiz] vpn end-point

• Previous message: Ng Pheng Siong: "Re: [fw-wiz] proxies for personal firewalls"
• Maybe in reply to: Shimon Silberschlag: "[fw-wiz] vpn end-point"
• Next in thread: paul: "RE: [fw-wiz] vpn end-point"
• Reply: paul: "RE: [fw-wiz] vpn end-point"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Shimon Silberschlag" <shimons@bll.co.il>, <firewall-wizards@honor.icsalabs.com>
Date: Thu, 18 Mar 2004 13:25:29 -0500

If possible I would end the VPN tunnel on the (edge) Router and then
pass the traffic through the firewall. This provides the ability to
setup rules for specific protocols/ports much more easily. If
terminating to a Pix firewall it becomes difficult to create access
lists for your VPN traffic. We used to dedicate one DMZ off the Pix for
the VPN traffic at a previous employer. This is easy if your Edge router
has an extra Ethernet port. Choose an RFC 1918 address range and create
a transit network between the router and the DMZ interface. Add a route
on the Edge router for the VPN traffic and setup firewall rules, voila.
This is assuming you can get a Triple DES image for your router and it
has the horsepower to handle the encryption/decryption. This will use a
LOT of CPU on the termination point. Usually Edge routers have more
available resources than firewalls in my experience. HTH.
Ken

-----Original Message-----
From: Shimon Silberschlag [mailto:shimons@bll.co.il]
Sent: Wednesday, March 17, 2004 10:23 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] vpn end-point

Having to design multiple branches to main offices VPN, with the
building block on the branch side limited to a router and a firewall,
what would be your choice of ending the VPN tunnel, on the router or on
the firewall?

Shimon Silberschlag

+972-3-9351572
+972-51-207130

_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Ng Pheng Siong: "Re: [fw-wiz] proxies for personal firewalls"
• Maybe in reply to: Shimon Silberschlag: "[fw-wiz] vpn end-point"
• Next in thread: paul: "RE: [fw-wiz] vpn end-point"
• Reply: paul: "RE: [fw-wiz] vpn end-point"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: VPN Setup Q ... As the firewall is built in the router, ... will be better to consult the router manufacture to see if it supports VPN ... |> 2004 as the firewall server, I believe the below article in Microsoft ... (microsoft.public.win2000.ras_routing) RE: [fw-wiz] Cisco Pix 515E Configuration ... that it was by design because it is a firewall. ... Will this be a fix for VPN traffic only? ... And I don't think the PIX would be considered a router just ... Features are sometimes added that increase risk but provide more ... (Firewall-Wizards) Re: Conecting to an external VPN ... Modem involved too,..hopefully a separate "box" from the router. ... How to configure a PPPoE connection in ISA Server 2006 or in ISA Server 2004 ... outbound VPN connections,...but I was unable to find any. ... There is no firewall client.. ... (microsoft.public.isa.vpn) Re: Network card configuration advice ... the Watguard firewall facilities rather than those with the Cisco router, ... but we want to make use of the Cisco router VPN for connecting remotely ... workstations and server behind the watguard firewall. ... then access the internal network via network card 2 which sits behind the ... (microsoft.public.windows.server.sbs) Re: Just venting (totally OT) ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... not visiting dodgy Websites. ... The protection that it does supply is also provided by ... (uk.people.support.depression)