RE: [fw-wiz] VPN endpoints

• Previous message: ROUMEGOUX Pierre: "[fw-wiz] Netscreen compatibility"
• Maybe in reply to: Adam Graham: "[fw-wiz] VPN endpoints"
• Next in thread: Melson, Paul: "RE: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "hermit921" <hermit921@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 25 Aug 2004 08:49:42 -0600

I think it really depends on the purpose of the VPN. I implemented a
VPN solution that bypassed the firewall completely. Why? Because it is
used for administrative network access, ie. in case the firewall was out
of whack.

For client access, my preference is to protect the VPN's external
interface by putting it in the DMZ. Then put the internal interface
inside. That way you can filter packets where they should be
filtered--at the firewall.

@@ron Smith
"Let smiths perform the work of smiths."

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
hermit921
Sent: Tuesday, August 24, 2004 11:37 AM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] VPN endpoints

We are planning to put a VPN endpoint at our site for remote access. We

know nothing about the remote client computers, we just provide an
authentication mechanism for the users. The question concerns where we
put
the VPN endpoint on our network.

I figure it this way: 2 VPN device interfaces, either of which can go
outside the firewall, on a DMZ, or inside the firewall. That gives us 9

possible arrangements, some of which are ridiculous, but fun to
consider. We came down to two configurations.

One approach is putting the internal interface on a DMZ. The other
approach is to have the VPN bypass the firewall entirely. I am looking
for
advice on which approach is better, and reasons why.

hermit921

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: ROUMEGOUX Pierre: "[fw-wiz] Netscreen compatibility"
• Maybe in reply to: Adam Graham: "[fw-wiz] VPN endpoints"
• Next in thread: Melson, Paul: "RE: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Sandboxing ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ... (Focus-IDS) Re: VPN Firewall for new webserver ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ... (comp.security.firewalls) Re: Firewall Info/Recommendations? ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ... (comp.security.firewalls) Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG) ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ... (Firewall-Wizards) Re: two winxp home machines, varied results ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ... (microsoft.public.windowsxp.network_web)