Re: [fw-wiz] Integrated VPN/FW Paranoia
- From: Kevin <kkadow@xxxxxxxxx>
- Date: Mon, 22 May 2006 18:15:30 -0500
On 5/22/06, Cary, Kim <Kim.Cary@xxxxxxxxxxxxxx> wrote:
Well, for months I've been saying: "When you get the VPN, we'll put it on
its own subnet/vlan behind the firewall." Now, I can see the administrative
pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
Value engineering, IMO.
This,IMHO, is what Cisco wants you to deploy.
Not that it is a bad approach, just lacking defense-in-depth.
If we have to 'restart' the VPN for some reason,
I don't want to restart the firewall
Nor vice-versa. In my environment we have different teams handling
routing (including site-to-site VPN) and security (including end-user
VPN). And it's a toss-up into which camp a Cisco "firewall blade" or
ASA device would fall, so we have political reasons for distinct
hardware for each function.
Would you put an integrated device in front of your class B network and
expect it to both protect (fw) and serve (vpn)?
I wouldn't -- unless budget is the prime (sole) driving force.
Generally what I've deployed is a (stateful, if money permits) packet
filter on the outermost edge, with a dedicated VPN tunnel-terminator
device (VAM, etc) behind the first layer of filtering. An interface
on the VPN device connects into a "real" firewall where traffic from
VPN, vendors, and other foreign networks is inspected.
Kevin
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- [fw-wiz] Integrated VPN/FW Paranoia
- From: Cary, Kim
- [fw-wiz] Integrated VPN/FW Paranoia
- Prev by Date: [fw-wiz] Strange Traffic
- Next by Date: Re: [fw-wiz] firewall stress testing tool
- Previous by thread: [fw-wiz] Integrated VPN/FW Paranoia
- Next by thread: [fw-wiz] Strange Traffic
- Index(es):
Relevant Pages
|
