Firewall Wizards mailing list archives
RE: VPN concentrators
From: Patrick Darden <darden () armc org>
Date: Mon, 26 Aug 2002 10:49:44 -0400 (EDT)
On Mon, 26 Aug 2002, Schouten, Diederik (Diederik) wrote:
Sorry, I do not agree with this. IPSec traffic is indeed coming from an autheticated/authorized peer, but that does not mean that both ends of the tunnel have similar security policies.
Depending on your VPN setup it can. Many vpn switches allow you to push security configurations upon clients.
VPN's can be setup between comapanies, home users, remote locations from the same company etc.
Yep.
Therefor, unless you can control what traffic goes into the tunnel at the remote end, you should still firewall the traffic that comes out of the tunnel at your end.
Nope. I agree that the other end should have minimum standards of security set up--i.e. antivirus software/signature that is X days old, firewall, yadda yadda. However, the more important thing is not what goes into the tunnel, but what comes out. If you are the concentrator, then you control what comes out without need of an extra firewall. VPN switches ARE firewalls.
Else, a security mistake (breach) made by company X will therefore cause the same mistake (breach) at company Y. You can trust a trustee with the security of his own network, but never trust him to secure your network.
Agreed.
Depending on the internals of the firewall, I'd say it is just as safe to terminate the VPN in a DMZ as it is to terminate it in the Firewall.
Agreed. Less useful, but just as safe....
Terminating the VPN parrallel to the firewall, completely bypassing your Security Policy is a definite NO.
It doesn't bypass the security policy, it enforces it.
Just my 2cts, Diederik
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN concentrators, (continued)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators m p (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators B. Scott Harroff (Aug 26)
- Re: VPN concentrators Daniel Linder (Aug 28)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators R. DuFresne (Aug 27)
- RE: VPN concentrators Patrick Darden (Aug 29)