RE: [fw-wiz] L2L VPN redundancy for T1 link

From: Stewart, John (johns_at_artesyncp.com)
Date: 04/20/05

  • Next message: Stewart, John: "RE: [fw-wiz] L2L VPN redundancy for T1 link" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 20 Apr 2005 12:34:21 -0500

    Paul Melson wrote:
    > Can we safely assume that, since the other devices in the mix
    > here are Cisco products that when you say "firewall" that you're
    > talking about a PIX? (Hence the reluctance to ask the firewall
    > to do any routing?)

    Actually, no. It is a Raptor firewall. I was not a PIX fan the last time I
    had to deal with them (which, admittedly, was quite some years ago and I
    understand they have improved).

    The reason I am reluctant to have the firewall run any routing protocols is
    I think it's just not a good idea to have anything but static routes on a
    firewall (right??). Seems like a possible vector of attack that is not worth
    the benefit.
     
    > You might be able to eliminate the RAS network and attach the 3005
    > to your internal network, and configure it to do RRI and OSPF with
    > the 2811 to get path failover there. But that still requires that
    > all traffic passes through the 2811, it just happens behind the
    > firewall instead of outside. It also means that you are stuck using
    > the 3005's filtering capabilities to filter VPN
    > clients and tunnels, which are sub par (to be kind).

    Aye, to be very kind. I think I would be much more comfortable with the
    internal router having an interface on the Internet network than to rely on
    the 3005's filtering capabilities.

    > The better option would be to replace the current
    > firewall/VPN gear with devices that are designed for
    > this type of failover scenario. :-\

    Could you elucidate on this? What gear would do?

    Thank you

    johnS
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Stewart, John: "RE: [fw-wiz] L2L VPN redundancy for T1 link"

    Relevant Pages

    • Re: Kindly help me with this PIX problem
      ... If you have read the configuration that I posted, ... firewall configuration didn't change over many years and it did work ... PIX, our company cannot send or receive email. ... That command allows ssh to the PIX, ...
      (comp.dcom.sys.cisco)
    • Re: Firewall for laptops, corporation with 1,000 laptops
      ... I disagree completely that all you need is a PIX to protect your network, ... PIX does nothing to protect you from VPN ... alerting, which are essential to a firewall solution, are lacking.] ... the PIX firewall does nothing to protect a roaming laptop from ...
      (microsoft.public.security)
    • Re: Cisco PIX fixup protocol command
      ... The PIX is a stateful firewall and maintains state on ... The reason why a security evaluation might result in a recommendation to ... is no need to have the SMTP fixup enabled. ...
      (Security-Basics)
    • RE: Hardware Firewall vs Software Firewall
      ... Hardware Firewall vs Software Firewall ... will drive the price to the point where the PIX is more cost effective. ... on a router ACL unless you're using the CSPM, ...
      (Security-Basics)
    • RE: [fw-wiz] insecurity in internet connection thro cable modems
      ... They are both similar firewall types, but if you're partial to the PIX CLI ... If I'm building a larger VPN infrastructure though, ... > Netscreens. ...
      (Firewall-Wizards)