Re: VPN and firewalls

["Paul D. Robertson" <proberts () clark net>]

On Fri, 6 Feb 1998, Rik Farrow wrote:

> I am curious about why people are choosing VPN solutions which
> are independent of firewalls, for example, Aventail or TimeStep.  

Well, I'd choose it if I had to pass that VPN traffic through an 
application layer gateway, and wanted to clearly delineate that traffic 
as it hit the firewall, put it past an IDS, or if my end of the VPN had 
to be under the control of the operations staff, or if there was enough 
change (keys or files) on that gateway that I didn't want to have to 
constantly audit the bastion host.

> Do people poke these streams through their firewalls?

I sure wouldn't.

> Is it a matter of performance?

That's an argument to be made for off-bastion VPNing.

> Why pay extra for VPN capability which is already included in many firewalls?

Maybe the included solution isn't as auditable, or doesn't have strong 
enough crypto?

> I am looking for answers from people who have tried both methods:  using
> the VPN as standalone product or bundled with their firewall.

I'm just throwing out answers off the top of my head, I've been 
successful so far in having to extend my security boundaries with VPNs,
dial-up is bad enough...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280