Re: [fw-wiz] VPN endpoints

From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 08/25/04

  • Next message: anyluser: "RE: [fw-wiz] VPN endpoints"
    To: hermit921 <hermit921@yahoo.com>, firewall-wizards@honor.icsalabs.com
    Date: Wed, 25 Aug 2004 16:01:57 +0100
    
    

    It really depends upon a risk assessment particular to your needs.

    If you consider the remote users to be equally trusted as your internal
    users, the authenitcation provided by the VPN products to be sufficient to
    mitigate spoofing, and the encryption strength to be sufficient from both
    a crypto and end-point attack, then you can pretty much connect the VPNs
    to the internal LAN.

    However, most organisations will view remote connections as being less
    trusted. This is often due to the unknown state of the remote workstation
    and concerns over the trust placed in the authentication mechanisms. From
    that perspective you'd be better off protecting the VPN end-point, and the
    internal LAN, by terminating the VPNs in a DMZ and restricting the access
    remote workstations get to the internal network.

    When considering your options, think about what actual network and
    information access the remote users require. If it's full connectivity
    (as if they were local users) then you'll want to ensure that the
    authentication and encryption technologies meet your requirements for
    security.

    Kev

    > We are planning to put a VPN endpoint at our site for remote access. We
    > know nothing about the remote client computers, we just provide an
    > authentication mechanism for the users. The question concerns where we
    > put the VPN endpoint on our network.
    >
    > I figure it this way: 2 VPN device interfaces, either of which can go
    > outside the firewall, on a DMZ, or inside the firewall. That gives us 9
    > possible arrangements, some of which are ridiculous, but fun to
    > consider. We came down to two configurations.
    >
    > One approach is putting the internal interface on a DMZ. The other
    > approach is to have the VPN bypass the firewall entirely. I am looking
    > for advice on which approach is better, and reasons why.
    >
    > hermit921
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    >
    >

    -- 
    Kevin Sheldrake MEng MIEE CEng CISSP
    Electric Cat (Bournemouth) Ltd
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: anyluser: "RE: [fw-wiz] VPN endpoints"

    Relevant Pages

    • RE: Remote desktop over a VPN
      ... I understand the issue to be: you have created VPN ... from SBS to remote network, however you can not VPN to remote network from ... This issue may occur because the ISA Server Firewall Client program does ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote User Management
      ... The problem is management of remote computers and compliance ... when they do not have network ... We have been considering installing Site-Link VPN appliances at the ... establish connectivity to domain resources. ...
      (microsoft.public.windows.server.active_directory)
    • Re: VPN Connection to remote site.
      ... If you need further assistance about SBS and ISA in the future, please feel free to post back. ... >Subject: Re: VPN Connection to remote site. ... >problematic and we found that the EPOS PC tended to drop off the network ...
      (microsoft.public.windows.server.sbs)
    • Re: Remote site browsing and file access
      ... than routing typically causes for remote netbios name resolution). ... -- uses software VPN to connect 10.10.0.0/255.255.248.0 network to remote ... -- Server provides all local DNS and DHCP ...
      (microsoft.public.windows.server.sbs)
    • Re: RASd in : why traffic sent through VPN router ?
      ... inet gateway to 10+ secs when routed through remote VPN inet gateway. ... Exchange Server on the local network, ...
      (microsoft.public.windowsxp.network_web)