[fw-wiz] Integrated VPN/FW Paranoia

Hi all,

Well, for months I've been saying: "When you get the VPN, we'll put it on
its own subnet/vlan behind the firewall." Now, I can see the administrative
pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
Value engineering, IMO.

If we have to 'restart' the VPN for some reason, I don't want to restart the
firewall. Further, I want the VPN traffic dumped where our IDS can see it
before it goes elsewhere (hence the desire to put it on its own subnet). I
realize I'm somewhat inexperienced here, so any opinions from the list
members would be appreciated.

Would you put an integrated device in front of your class B network and
expect it to both protect (fw) and serve (vpn)?

If you had to support both internal customers using VPN for auth/encrypt
access to 'special' ports related to secured apps as well as remote
customers just trying to use vanilla 'lan' apps would you put your VPN on
the border?

Thanks much!
firewall-wizards mailing list

Relevant Pages

  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
  • Re: Firewall Info/Recommendations?
    ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
  • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
    ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
  • Re: two winxp home machines, varied results
    ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ...