RE: VPN concentrators

[Patrick Darden <darden () armc org>]

On Mon, 26 Aug 2002, Schouten, Diederik (Diederik) wrote:

> Sorry, I do not agree with this.
>
> IPSec traffic is indeed coming from an autheticated/authorized peer, but
> that does not mean that both ends of the tunnel have similar security
> policies.

Depending on your VPN setup it can.  Many vpn switches allow you to push
security configurations upon clients.

> VPN's can be setup between comapanies, home users, remote locations from the
> same company etc.

Yep.

> Therefor, unless you can control what traffic goes into the tunnel at the
> remote end, you should still firewall the traffic that comes out of the
> tunnel at your end.

Nope.  I agree that the other end should have minimum standards of
security set up--i.e. antivirus software/signature that is X days old,
firewall, yadda yadda.  However, the more important thing is not what
goes into the tunnel, but what comes out.  If you are the concentrator,
then you control what comes out without need of an extra firewall.  VPN
switches ARE firewalls.

> Else, a security mistake (breach) made by company X will therefore cause the
> same mistake (breach) at company Y.
>
> You can trust a trustee with the security of his own network, but never
> trust him to secure your network.

Agreed.

> Depending on the internals of the firewall, I'd say it is just as safe to
> terminate the VPN in a DMZ as it is to terminate it in the Firewall.

Agreed.  Less useful, but just as safe....

> Terminating the VPN parrallel to the firewall, completely bypassing your
> Security Policy is a definite NO.

It doesn't bypass the security policy, it enforces it.


> Just my 2cts,
>
>       Diederik

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards