Firewall Wizards mailing list archives
Re: Placement of a VPN Appliance
From: dharris () kcp com
Date: Thu, 4 Jan 2001 13:48:32 -0600
So... What have you done to ensure that the system(s) on the other end of the VPN are obeying your security policy? The way I see it, if you land the VPN on your protected network then you must have some assurance that both ends of your VPN are on networks with compatible security policies. At the least you would want to be sure that the security policies at both ends are at or above a minimum required level. Think of your site as having a security perimeter (or several perimeters), with policies enforced by a combination of physical, electronic, and administrative controls. When you land the VPN inside one of those security perimeters then you have logically defined the security perimeter to include whatever is on the other end of the VPN. If the policies or their enforcement is weaker at the other end of the VPN then you have effectively decreased the security of your site because your actual perimeter now has less-defended areas. You may have already weighed the risks of doing this and decided that they are outweighed by the benefits. Your remote site(s) may have the same policies and enforcement levels as your local site, which is possibly the case if the other end of the VPN is part of your corporate or administrative structure. If so, more power to you. If, on the other hand, you are using VPNs for connecting roving users, you probably should rethink your architecture. Unless you control your roving users, their spouses, kids, significant others, and all the environments into which they rove, then you have effectively breached at least some of your local site protections. Delmer D. Harris, CISSP Jeffery.Gieser () minnesotamutual com@nfr.com on 01/04/2001 09:02:54 AM Sent by: firewall-wizards-admin () nfr com To: "Crist Clark" <crist.clark () globalstar com>, firewall-wizards () nfr com cc: Subject: Re: [fw-wiz] Placement of a VPN Appliance We recently had the same issue where I work. I decided to place the public side of the VPN device on a dmz and the private side on our internal network. This was done for the following reasons. 1. If every device has X number of vulnerabilities then having two devices of different types on the internet gives us X + X number of different vulnerabilities. 2. The firewall really can't do much filtering for the VPN device for ISAKMP, AH, or ESP but it can stop any other traffic from reaching the VPN device that isn't one of these three protcols. 3. I would place the public side of the VPN on the DMZ because I wouldn't want potentially dirty traffic on my internal network befire it reached it's checkpoint. 4. Placing the private side of the VPN device in front of a firewall defeats the purpose of a firewall since you usually want the people on the other side of the VPN to have full access to your internal network. My firewall rules would look like swiss cheese if I did that. Regards, Jeffery Gieser _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Placement of a VPN Appliance Crist Clark (Jan 03)
- <Possible follow-ups>
- RE: Placement of a VPN Appliance Ben Nagy (Jan 03)
- Re: Placement of a VPN Appliance Crist Clark (Jan 03)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- Re: Placement of a VPN Appliance Bill_Royds (Jan 04)
- RE: Placement of a VPN Appliance Stewart, John (Jan 04)
- RE: Placement of a VPN Appliance Bob . Eichler (Jan 04)
- RE: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- Re: Placement of a VPN Appliance dharris (Jan 04)
- Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
- Re: Placement of a VPN Appliance JB (Jan 08)
- Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
- RE: Placement of a VPN Appliance David Bovee (Jan 05)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 05)
- Re: Placement of a VPN Appliance dharris (Jan 05)