Re: Placement of a VPN Appliance

[dharris () kcp com]

So...

What have you done to ensure that the system(s) on the other end of the VPN
are obeying your security policy?  The way I see it, if you land the VPN on
your protected network then you must have some assurance that both ends of
your VPN are on networks with compatible security policies.  At the least
you would want to be sure that the security policies at both ends are at or
above a minimum required level.

Think of your site as having a security perimeter (or several perimeters),
with policies enforced by a combination of physical, electronic, and
administrative controls.  When you land the VPN inside one of those
security perimeters then you have logically defined the security perimeter
to include whatever is on the other end of the VPN.  If the policies or
their enforcement is weaker at the other end of the VPN then you have
effectively decreased the security of your site because your actual
perimeter now has less-defended areas.

You may have already weighed the risks of doing this and decided that they
are outweighed by the benefits.  Your remote site(s) may have the same
policies and enforcement levels as your local site, which is possibly the
case if the other end of the VPN is part of your corporate or
administrative structure.  If so, more power to you.  If, on the other
hand, you are using VPNs for connecting roving users, you probably should
rethink your architecture.  Unless you control your roving users, their
spouses, kids, significant others, and all the environments into which they
rove, then you have effectively breached at least some of your local site
protections.

                         Delmer D. Harris, CISSP




Jeffery.Gieser () minnesotamutual com@nfr.com on 01/04/2001 09:02:54 AM

Sent by:  firewall-wizards-admin () nfr com


To:   "Crist Clark" <crist.clark () globalstar com>, firewall-wizards () nfr com
cc:

Subject:  Re: [fw-wiz] Placement of a VPN Appliance



We recently had the same issue where I work.  I decided to place the public
side of the VPN device on a dmz and the private side on our internal
network.  This was done for the following reasons.

1.  If every device has X number of vulnerabilities then having two devices
of different types on the internet gives us X + X number of different
vulnerabilities.

2.  The firewall really can't do much filtering for the VPN device for
ISAKMP, AH, or ESP but it can stop any other traffic from reaching the VPN
device that isn't one of these three protcols.

3.  I would place the public side of the VPN on the DMZ because I wouldn't
want potentially dirty traffic on my internal network befire it reached
it's checkpoint.

4.  Placing the private side of the VPN device in front of a firewall
defeats the purpose of a firewall since you usually want the people on the
other side of the VPN to have full access to your internal network.  My
firewall rules would look like swiss cheese if I did that.

Regards,
Jeffery Gieser


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards