RE: [fw-wiz] vpn end-point

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Linux ARPD -- neighbor table overflow"
• In reply to: paul: "RE: [fw-wiz] vpn end-point"
• Next in thread: Frederick M Avolio: "RE: [fw-wiz] vpn end-point"
• Reply: Frederick M Avolio: "RE: [fw-wiz] vpn end-point"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: paul <paul@compuwar.net>, "Claussen, Ken" <Ken@kccweb.com>
Date: Fri, 19 Mar 2004 08:40:51 -0500

My experience as well. People tend to size access routers to perform
according to the WAN access connection rate.

I am surprised no one mentioned that terminating VPN at the firewall lets
you distinguish VPN traffic from all other traffic routed through the
firewall (without topological or addressing finagling), and protects VPN
traffic to the security policy enforcement point, e.g., across the "DMZ"
you have between the router and firewall (unless the router-firewall link
is a crossover cable, it's a network, and I've seen people throw IDS/IPS,
performance analysis devices, and gee, how about a web server there - and
that's only the list of systems they learn about).

At 05:12 PM 3/18/2004 -0500, paul wrote:

>This is the opposite of my experience. I've yet to see a router with
>enough CPU to do 3DES and handle significant traffic at the same time.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul D. Robertson: "Re: [fw-wiz] Linux ARPD -- neighbor table overflow"
• In reply to: paul: "RE: [fw-wiz] vpn end-point"
• Next in thread: Frederick M Avolio: "RE: [fw-wiz] vpn end-point"
• Reply: Frederick M Avolio: "RE: [fw-wiz] vpn end-point"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]