Network segregation via IPsec gateways?



Hi all,

I have the following network set-up:

There is a router with 1 WAN port and 2 LAN ports. I want to deploy
IPsec gatways for both LANs to enforce security, i.e. only encrypted
traffic may enter or leave the LANs through the IPsec gateways. To
further ensure that access from one LAN to the other is not possible,
I would deploy a separate IPsec gateway for each LAN. I am thinking of
deploying IPsec gateways that are physically separated from the
router, as shown in the following sketch:

+---------------------+ +-----------+
LAN1------| IPsec gateway |--------| |
+---------------------+ | |
| Router |------WAN
+---------------------+ | |
LAN2------| IPsec gateway |--------| |
+---------------------+ +-----------+


Alternatively, I could deploy the IPsec gateways in the router, saving
me from deploying 2 additional hardware boxes for the IPsec gateways
as shown in the config. above. This could be done by virtualisation of
the IPsec gateways, or by simply implementing a single IPsec gateway
in the router that serves both LAN.

However, my "feeling" is that this may be less secure in terms of
vulnerability to hackers from the WAN or the LAN side (it is a hacker
from LAN1 wanting to achieve access to LAN2) but I am not able to
justify this...

Can anyone share his/her opinion whether the 3 different configs. are
equivalent in terms of security and vulnerability to hacks???? Any
hint on how to assess this is appreciated. Thanks!
.



Relevant Pages

  • Re: Network segregation via IPsec gateways?
    ... There is a router with 1 WAN port and 2 LAN ports. ... IPsec gatways for both LANs to enforce security, ... traffic may enter or leave the LANs through the IPsec gateways. ...
    (comp.os.linux.security)
  • Re: Network segregation via IPsec gateways?
    ... traffic may enter or leave the LANs through the IPsec gateways. ... I would deploy a separate IPsec gateway for each LAN. ... in the router that serves both LAN. ... an airport etc.) and LAN2 is safety critical, ...
    (comp.os.linux.security)
  • Re: Network segregation via IPsec gateways?
    ... traffic may enter or leave the LANs through the IPsec gateways. ... I would deploy a separate IPsec gateway for each LAN. ... in the router that serves both LAN. ...
    (comp.os.linux.security)
  • Re: alright whats the trick
    ... you can untick them so that the LAN is always on. ... it can still have a router. ... is to convert PPPOE from the ISP, ... The ADSL modem routing function is disabled, ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Network Hardware
    ... LAN With Two Routers" and now wonder whether or not to send this message as ... I was also hoping to use the DLink Router ... have to go through the router to get to the internet on the other subnet. ...
    (microsoft.public.windowsxp.network_web)