Re: VPN location on a PIX firewall

From: Derek Nash (dnash@tiny.net)
Date: 03/01/02 

From: "Derek Nash" <dnash@tiny.net>
Date: Thu, 28 Feb 2002 18:33:10 -0600

"Sekurity Wizard (Ralph)" <rlos at enteredge dot com> wrote in message
news:u7svoscct8bsce@corp.supernews.com...
> As a security professional, I can say with certainty that there is no
right
> answer to this. It depends on your architecture overall, but
>
> DMZ
> -I would not put it into a DMZ, then you have to allow DMZ traffic
into
> your network - bad idea in general.

True, although based on your next statement it would make more sense to
place it here and control access rules between the DMZ segment and the
Trusted segment then placing it on the Untrusted segment and allow inbound
access from that interface.

> In-Front
> - Make sure the box is hardened, and well-protected. This is probably
> the best place in my opinion

Disagree, without being protected by that Firewall the VPN device unencrypts
the data and exposes it on the untrusted network where someone could
potentially intercept the now unencrypted packets.

> Behind
> -Nope, because you're assuming anyone that's got VPn access can roam
> your network - how much do you trust the client? What if the client is
> trojaned? What if a hacker gets a client w/userID and password?

Good VPN implementation are policy based and don't just blow an indiscrinate
whole through your firewall.

>
> Happy architecting, just some opinions,
>
> --rL (SekurityWizard)
>
> "Michael Anderson" <michael.anderson@fairchildsemi.com> wrote in message
> news:3c7be133$1@wansvr5...
> : As a consensus, should the VPN (which is a Nortel Contivity 2500/2600
with
> : Shasta firewall) reside in front of, behind, or in a DMZ on the PIX
> (515UR)
> : firewall? Please eplain your reason as to why, and why not the other
two
> : options.
> :
> : Thanks
> :
> :
>
>

Relevant Pages

  • Re: SBS 2008 - Firewall Appliance?
    ... Cisco ASA 5510 Appliance Content Security Edition Bundle ... 250 IPsec VPN peers, ... But "firewall services" are simply listed as included. ... If you don't need AV or VPN then this is overkill....and I recommend running client AV on a server that can handle monitoring anyways....not using an edge device as the client AV manager...but that's another conversation. ...
    (microsoft.public.windows.server.sbs)
  • Re: remoting not working through vpn
    ... These can act differently depending on where the VPN terminates. ... I have ISA firewall and all my VPN connections terminate on the firewall system. ... The other case might be that you have tunneled the VPN completely through the firewall and let it terminate on the server itself. ... The problem may be in how the client system is presenting its ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: Teleworking
    ... Cisco VPN Client running on local PC ... ADSL router runing VPN passthrough and full firewall ... > simplify the management and deployment of PGP and reduce overall PGP ...
    (Security-Basics)
  • Re: RE:Sizing a Firewall for a Client
    ... about the Sonic Wall Pro, when in turn will cost you at least 3 times as ... Sizing a Firewall for a Client ... We've tested the Sonicwall with up to 5 VPN clients at once ...
    (Security-Basics)
  • Re: [fw-wiz] VPN concentrators
    ... > Current best thinking is to terminate VPN tunnels inside an ... > through this or another firewall before entering the internal ... > thoughts on termination of vpn tunnels on the firewall itself? ... three NICs: Outside, Inside, and DMZ. ...
    (Firewall-Wizards)