RE: [fw-wiz] VPN endpoints

• Previous message: stephane nasdrovisky: "Re: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
• Maybe in reply to: Adam Graham: "[fw-wiz] VPN endpoints"
• Next in thread: Rodel Collado Urani: "Re: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "hermit921" <hermit921@yahoo.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 25 Aug 2004 10:49:05 -0400

The placement isn't as important as planning access controls for remote
users accessing the internal network. I'm sure that any auditor that
might look at this would feel better if the firewall sat between the
inside network and the VPN device. But, some VPN devices support
granular access controls on decrypted packets that make a separate
firewall redundant, possibly unnecessary. Of course, if the product you
have selected is not capable of doing that, or if you'd simply prefer to
use the firewall (for performance, logging/monitoring, or staff
utilization issues), then it makes sense to put the firewall between the
VPN device and the inside network.

PaulM

> -----Original Message-----
> We are planning to put a VPN endpoint at our site for remote
> access. We
> know nothing about the remote client computers, we just provide an
> authentication mechanism for the users. The question
> concerns where we put
> the VPN endpoint on our network.
>
> I figure it this way: 2 VPN device interfaces, either of which can go
> outside the firewall, on a DMZ, or inside the firewall. That
> gives us 9
> possible arrangements, some of which are ridiculous, but fun to
> consider. We came down to two configurations.
>
> One approach is putting the internal interface on a DMZ. The other
> approach is to have the VPN bypass the firewall entirely. I
> am looking for
> advice on which approach is better, and reasons why.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: stephane nasdrovisky: "Re: [fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
• Maybe in reply to: Adam Graham: "[fw-wiz] VPN endpoints"
• Next in thread: Rodel Collado Urani: "Re: [fw-wiz] VPN endpoints"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Remote Web Workplace question ... I went to the PCs and checked the domain under the firewall setting. ... And this happens with every client PC on the network? ... it's Remote Desktop somewhere under Accessories). ... (microsoft.public.windows.server.sbs) ESP packets dropped by Windows Server 2003 ... We're just using the NAT/Basic Firewall that is a part of Windows ... private interface connected to the private network, ... can see that ESP packets sent from a computer on the office network to ... remote computer across the public interface. ... (microsoft.public.windows.server.networking) Re: Windows Internet Explorer RWW Error ... Check the client firewall settings if it allows RDC or port 3389. ... From outside it only works if you use VPN to your network? ... Check if you are using third-party firewall that deny RDC connections. ... Ensure that the remote computer is on and connected to the ... (microsoft.public.windows.server.sbs) Re: Terminal services ... >> individual workstations from remote locations. ... > firewall that acts as a PPTP Endpoint. ... > What you want to do is have the remote users VPN into the firewall from ... > access your network. ... (microsoft.public.windows.server.sbs) RE: can ping but not browse ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ... (Fedora)