Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VPN concentrators

From: Patrick Darden <darden () armc org>
Date: Mon, 26 Aug 2002 08:39:24 -0400 (EDT)

I don't agree.  Putting authenticated and authorized traffic through a
firewall is redundant.  IPSEC traffic is trusted traffic.  A VPN is an
extension of your network--it is as trusted as any traffic internal to
your network--perhaps more, as it can be completely accounted
for--remember that every packet has a confirmed sip, dip, and payload.

Here is the current best thinking, to my knowledge:

     ds3 to internet
      |
      |
---------------
Bastion Router|
---------------
   |     |
   |      \
firewall   \
   |       vpn engine
   |           |
==================
internal network |
==================




--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Mon, 26 Aug 2002 scouser () paradise net nz wrote:


Off topic slightly, sorry.

Current best thinking is to terminate VPN tunnels inside an external firewall on
a DMZ, then traffic can be passed back through this or another firewall before
entering the internal network.

Complexity can lead to vulnerabilities, so what are peoples thoughts on
termination of vpn tunnels on the firewall itself? What are the  pros and cons
as  you see them?

thanks in advance 
James
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: