RE: [fw-wiz] VPN endpoints
From: Fetch, Brandon (BFetch_at_texpac.com)
Date: 08/25/04
- Previous message: Adam Graham: "[fw-wiz] VPN endpoints"
- Maybe in reply to: Adam Graham: "[fw-wiz] VPN endpoints"
- Next in thread: Smith, Aaron: "RE: [fw-wiz] VPN endpoints"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 25 Aug 2004 13:32:24 -0500
I think you'll find that there are two 'accepted' installation methods with
one some consider to be more secure than the other.
Terminate the VPN on either of these networks - DMZ or Inside.
If you're referring to a Cisco VPN concentrator with two interfaces (public
& private), the public obviously goes on the outside network with a publicly
accessible IP address.
Where the private interface goes is the big issue.
The more secure setup is 'terminating' the VPN on the DMZ as this allows you
to then filter any/all traffic that is coming in through the VPN using your
DMZ ACLs. You can have the VPN clients receive a different IP address scope
from the DMZ network hosts and then restrict where those IP addresses can
go.
If you're confident in your internal security and feel like letting your VPN
clients run rampant inside your corporate network then terminate the VPN on
the Inside network with an internally routable addressing scheme. However,
they're free to muck about with whatever/wherever they desire. :)
HTH!
Brandon Fetch
817-871-4036
-- carpe ductum -- "Grab the tape"
-----Original Message-----
From: hermit921 [mailto:hermit921@yahoo.com]
Sent: Tuesday, August 24, 2004 12:37 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] VPN endpoints
We are planning to put a VPN endpoint at our site for remote access. We
know nothing about the remote client computers, we just provide an
authentication mechanism for the users. The question concerns where we put
the VPN endpoint on our network.
I figure it this way: 2 VPN device interfaces, either of which can go
outside the firewall, on a DMZ, or inside the firewall. That gives us 9
possible arrangements, some of which are ridiculous, but fun to
consider. We came down to two configurations.
One approach is putting the internal interface on a DMZ. The other
approach is to have the VPN bypass the firewall entirely. I am looking for
advice on which approach is better, and reasons why.
hermit921
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Adam Graham: "[fw-wiz] VPN endpoints"
- Maybe in reply to: Adam Graham: "[fw-wiz] VPN endpoints"
- Next in thread: Smith, Aaron: "RE: [fw-wiz] VPN endpoints"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
