Re: [fw-wiz] VPN endpoints
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
To: hermit921 <firstname.lastname@example.org>, email@example.com Date: Wed, 25 Aug 2004 16:01:57 +0100
It really depends upon a risk assessment particular to your needs.
If you consider the remote users to be equally trusted as your internal
users, the authenitcation provided by the VPN products to be sufficient to
mitigate spoofing, and the encryption strength to be sufficient from both
a crypto and end-point attack, then you can pretty much connect the VPNs
to the internal LAN.
However, most organisations will view remote connections as being less
trusted. This is often due to the unknown state of the remote workstation
and concerns over the trust placed in the authentication mechanisms. From
that perspective you'd be better off protecting the VPN end-point, and the
internal LAN, by terminating the VPNs in a DMZ and restricting the access
remote workstations get to the internal network.
When considering your options, think about what actual network and
information access the remote users require. If it's full connectivity
(as if they were local users) then you'll want to ensure that the
authentication and encryption technologies meet your requirements for
> We are planning to put a VPN endpoint at our site for remote access. We
> know nothing about the remote client computers, we just provide an
> authentication mechanism for the users. The question concerns where we
> put the VPN endpoint on our network.
> I figure it this way: 2 VPN device interfaces, either of which can go
> outside the firewall, on a DMZ, or inside the firewall. That gives us 9
> possible arrangements, some of which are ridiculous, but fun to
> consider. We came down to two configurations.
> One approach is putting the internal interface on a DMZ. The other
> approach is to have the VPN bypass the firewall entirely. I am looking
> for advice on which approach is better, and reasons why.
> firewall-wizards mailing list
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards