Re: [fw-wiz] VPN endpoints

From: Kevin Sheldrake (
Date: 08/25/04

  • Next message: anyluser: "RE: [fw-wiz] VPN endpoints"
    To: hermit921 <>,
    Date: Wed, 25 Aug 2004 16:01:57 +0100

    It really depends upon a risk assessment particular to your needs.

    If you consider the remote users to be equally trusted as your internal
    users, the authenitcation provided by the VPN products to be sufficient to
    mitigate spoofing, and the encryption strength to be sufficient from both
    a crypto and end-point attack, then you can pretty much connect the VPNs
    to the internal LAN.

    However, most organisations will view remote connections as being less
    trusted. This is often due to the unknown state of the remote workstation
    and concerns over the trust placed in the authentication mechanisms. From
    that perspective you'd be better off protecting the VPN end-point, and the
    internal LAN, by terminating the VPNs in a DMZ and restricting the access
    remote workstations get to the internal network.

    When considering your options, think about what actual network and
    information access the remote users require. If it's full connectivity
    (as if they were local users) then you'll want to ensure that the
    authentication and encryption technologies meet your requirements for


    > We are planning to put a VPN endpoint at our site for remote access. We
    > know nothing about the remote client computers, we just provide an
    > authentication mechanism for the users. The question concerns where we
    > put the VPN endpoint on our network.
    > I figure it this way: 2 VPN device interfaces, either of which can go
    > outside the firewall, on a DMZ, or inside the firewall. That gives us 9
    > possible arrangements, some of which are ridiculous, but fun to
    > consider. We came down to two configurations.
    > One approach is putting the internal interface on a DMZ. The other
    > approach is to have the VPN bypass the firewall entirely. I am looking
    > for advice on which approach is better, and reasons why.
    > hermit921
    > _______________________________________________
    > firewall-wizards mailing list

    Kevin Sheldrake MEng MIEE CEng CISSP
    Electric Cat (Bournemouth) Ltd
    firewall-wizards mailing list

  • Next message: anyluser: "RE: [fw-wiz] VPN endpoints"