Firewall Wizards mailing list archives
Re: VPN concentrators
From: Patrick Darden <darden () armc org>
Date: Mon, 26 Aug 2002 10:45:00 -0400 (EDT)
I think the original poster's idea was (just to be clear): ds3 | -----|----- bastionrouter ------------- | | firewall vpn engine | | | | | firewall | | | | ----------------------- internal network In my original diagram, DOS attacks would be filtered at the bastion router. In this diagram, after the vpn engine receives and verifies and confirms packets, then they are routed through a firewall.... Redundant and useless. Let's say it is a top of the line content-inspecting, state-keeping, packet filtering firewall--how is that better than the vpn engine which does all of this and more? The vpn engine verifies and confirms and filters based on the sip, dip, state, and packet contents; and can do this on a per-user or per-group basis, thus giving different users different "levels" of access. Having this extra firewall is not useful. -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Mon, 26 Aug 2002, m p wrote:
--- Patrick Darden <darden () armc org> schrieb: >I don't agree. Putting authenticated and authorized traffic through a firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an extension of your network--it is as trusted as any traffic internal to your network--perhaps more, as it can be completely accounted for--remember that every packet has a confirmed sip, dip, and payload.I beg to differ. He talked about VPN - not authorized and authenticated traffic from a source he can trust 100%. Traffic via a VPN can be from different sources with different levels of trust. It can be a company or an employee or a branch office. That are 3 classes of different trustworthy. Perhaps there are more. There were some DoS-attacks against the Windows IPSEC implementation last year. There too was a DoS attack against some open source IPSEC implementation. If you can limit the addresses that connect to the termination point of your VPN it may be worth the additional layer of security. To make sure each person that logins / operate via the VPN is only allowed to see what he/she/it should see there should be a firewall behind the termination point of the VPN. Yes, traffic via VPN should be the same as normal "in-house" traffic. But the connection begin can be a problem - and if traffic via VPN is not "in-house" traffic. If you firewall the RAS users in your company you should too firewall the VPN users. Just my 2 euro cent Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- <Possible follow-ups>
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
- RE: VPN concentrators Crispin Harris (Aug 26)