Re: [fw-wiz] Integrated VPN/FW Paranoia



On 5/22/06, Cary, Kim <Kim.Cary@xxxxxxxxxxxxxx> wrote:
Well, for months I've been saying: "When you get the VPN, we'll put it on
its own subnet/vlan behind the firewall." Now, I can see the administrative
pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
Value engineering, IMO.

This,IMHO, is what Cisco wants you to deploy.
Not that it is a bad approach, just lacking defense-in-depth.


If we have to 'restart' the VPN for some reason,
I don't want to restart the firewall

Nor vice-versa. In my environment we have different teams handling
routing (including site-to-site VPN) and security (including end-user
VPN). And it's a toss-up into which camp a Cisco "firewall blade" or
ASA device would fall, so we have political reasons for distinct
hardware for each function.


Would you put an integrated device in front of your class B network and
expect it to both protect (fw) and serve (vpn)?

I wouldn't -- unless budget is the prime (sole) driving force.

Generally what I've deployed is a (stateful, if money permits) packet
filter on the outermost edge, with a dedicated VPN tunnel-terminator
device (VAM, etc) behind the first layer of filtering. An interface
on the VPN device connects into a "real" firewall where traffic from
VPN, vendors, and other foreign networks is inspected.

Kevin
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: Firewall Info/Recommendations?
    ... I would seriously consider an air-gap solution. ... Let me outline a few features that no other firewall can touch. ... Provide secure access without a VPN from any web browser (this greatly ... > manageable without much higher-level support if you want things like ...
    (comp.security.firewalls)
  • Re: [fw-wiz] Integrated IDS/IPS/Firewall (Cisco ASA and Juniper ISG)
    ... complexity and architectural inelegance of having 3-5 gateway security ... VPN) convinced me to eventually champion a migration to Symantec's SGS ... Nice balance of "default deny" at the firewall, ...
    (Firewall-Wizards)
  • Re: VPN Firewall for new webserver
    ... > I'm setting up a webserver at a colocation and I need to put a VPN ... You're not going to get a quality firewall for that amount, ... and D-Link makes a DI-804HV unit ... users access to the SQL server, let them do it through a VPN session. ...
    (comp.security.firewalls)
  • Re: two winxp home machines, varied results
    ... >The only firewall I have on my machine *aside* from the Cisco VPN ... Please don't change "restrictAnonymoussam", only ... >Here is the IPCONFIG and BROWSTAT listings for each machine. ...
    (microsoft.public.windowsxp.network_web)