RE: VPN concentrator placement

From: Steve Frost (steve.frost@rbk.kingston.gov.uk)
Date: 09/09/02

• Previous message: Daniel Miessler: "RE: ISA firewall"
• Maybe in reply to: netsec novice: "VPN concentrator placement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Steve Frost <steve.frost@rbk.kingston.gov.uk>
To: 'netsec novice' <netsec9@hotmail.com>
Date:  Mon, 9 Sep 2002 10:34:33 +0100 

Hi there

When I assisted setting up our Cisco VPN Concentrator, with an out side
contractor. We used a port on our Pix 515 to plug the public port of the
concentrator into and plugged the private port on to our network. So that we
have a firewall between us and the outside world. We than configured the pix
to rought Inbound VPN Connections from the internet, through to the
concentrator.

I believe this is described in one of the Cisco Doc
http://www.cisco.com/warp/public/471/top_issues/vpn/3kvpncon_index.shtml
A good diagram is in
http://www.cisco.com/warp/public/471/ALTIGA_pix.html

so to answer your question. DO NOT bypass you Firewall!!!!.

The VPN Concentrator Is not a firewall and has lots of Holes out of the box
and need's to be kept up to date on the patches.

I hope this helps
Steve

-----Original Message-----
From: netsec novice [mailto:netsec9@hotmail.com]
Sent: 05 September 2002 21:56
To: security-basics@securityfocus.com
Subject: VPN concentrator placement

I am doing a new install of a Cisco VPN concentrator on our existing network

that contains a checkpoint firewall. Just trying to place it in the most
secure but best functional location. I guess the big question is parallel
to the firewall vs. on a DMZ. Cisco TAC won't provide design
recommendations (not sure why) so I'm looking for feedback from those out
there that have done this. Is the Cisco VPN concentrator secure enough to
completely bypass the firewall?

Opinions welcomed!!

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

---

• Previous message: Daniel Miessler: "RE: ISA firewall"
• Maybe in reply to: netsec novice: "VPN concentrator placement"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages IAS 2003 for Cisco VPN Authorization (MS A.D. Group Lookup) ... we are using Cisco VPN concentrator and Cisco ... How can we use IAS 2003 to do just this job of a group lookup in the ... Since Cisco VPN concentrator performs Authentication ... (microsoft.public.internet.radius) DNS resolution problem with cisco vpn concentrator ... I have found that our Cisco VPN concentrator is now unable to ... access mapped drives by UNC; I just receive an access denied error. ... I have confirmed with Cisco that the VPN settings are ... from the VPN concentrator by name and IP address. ... (microsoft.public.windows.server.networking) RE: Cisco VPN Concentrator GUI ... Also it could just be the browser login interface for Cisco 3002 HW ... Subject: Cisco VPN Concentrator GUI ... (Pen-Test) Re: Discussion on where RADIUS server should be ... >> Personally I would keep the Cisco VPN concentrator. ... (microsoft.public.security) Re: Cisco Secure ACS vs. Firewall ... Good points about the Cisco 3000 VPN Concentrator. ... mentioning about the *firewall* is that the VPN3K does basic NAT/Port ... RE>>on the company LAN is. ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)