Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VPN concentrators

From: Patrick Darden <darden () armc org>
Date: Tue, 27 Aug 2002 08:11:53 -0400 (EDT)

Well, if it is remote pc---->network connections, then you can control the
end user's security pretty securely.  Simply have a remote network access
policy that states a minimum security allowance, and have your vpn client
check for these before allowing a tunnel.  Something like: Norton Internet
Security with an update within the last 7 days; or black ice plus
kaspersky; etc.  If your client can't check for these things, then you
could write a wrapper to check for them on the hard drive easily enough,
or check the registry to see if they are installed and "on".



--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Tue, 27 Aug 2002 scouser () paradise net nz wrote:


OK some but not all answers
It is for remote users, so it would be Client to Device (initially :P)
So users would be employees. (totally untrsutworthy :P)
Client software would probably depend on Device as a number of beneficial
features can be used if you match the client to the device (personal firewalls,
autmated upgrading of clients etc...)
users would be about 250 initially but up to 4000 potentially in the future.
availability would be an issue but this would be dealt with by the architecture
design and would not be dependant on the solution.
Management I would presume would depend on the device, ie LSMS for a brick etc...
Central managament is an important issue however.


Not sure what you mean by access control? Do you mean to internal resources? If
VPN traffic could be split inot different network pools then internal NIDS, and
ACLs could manage this (along with obvious host/resource access controls)

What are tehses mysterious "IPSEC issues" that we are all aware of ( or perhaps
not in my case) ??


James

Quoting Ofir Arkin <ofir () sys-security com>:


All,

No one even looked at a number of other critical questions:

- Is this a Device to Device VPN?
- Is this a Client to Device VPN?
- Both?
- What information needs to go through that VPN?
- Who uses the VPN? Trusted entity? Your grand mother?
- What is that trusted entity's security?
- Can we trust it? (of course not)
- What is the client software used (shame on you all not mentioning
that
:P) 
- IPSEC - there are a number of issues here to remind you all.
- Management
- Access Controls
- Number of users using the VPN
- Availability issues 
- Etc.

People should look at the bigger picture and not at the box. 
The bigger pictures than will tell us what boxes you can, or cannot
use.

By the way - a VPN is not a firewall...
The encrypted traffic hitting the VPN must be validated after
decryption
is performed... This is the reason why, sometimes, a VPN+Firewall in
one
box (e.g. checkpoint) will be a good solution, or a
firewall-VPN-firewall "sandwich" will be also used.
 

Just my 2c.

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA 

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admi n () honor icsalabs com] On Behalf Of
Patrick
Darden
Sent: 26 August 2002 15:52
To: Dave Piscitello
Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] VPN concentrators


Actually, what you describe is only slightly different from what I
describe. I can't really think of any differences, except that yours
may
cost less but possibly provide less performance....

--
--Patrick Darden Internetworking Manager 
-- 706.475.3312 darden () armc org
-- Athens Regional Medical Center


On Mon, 26 Aug 2002, Dave Piscitello wrote:


Goes to show you that "best thinking" is subjective.

Firewall appliances with crypto acceleration for IPsec and an

optional/DMZ 

port satisfy most site requirements without all the extra hardware, 
addressing/subnetting, and routing issues (how you return IPsec

traffic 

when you have FW and VPN appliance in parallel isn't a simple

"default


gateway is the firewall" config on the internal network). You also

don't 

have to manage policy across multiple systems with multiple UIs, and

you 

don't have to deal with multiple sources of logging and reporting of

policy 

violations.

I'm happy with this arrangement.

At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:

Here is the current best thinking, to my knowledge:

ds3 to internet
|
|
---------------
Bastion Router|
---------------
| |
| \
firewall \
| vpn engine
| |
==================
internal network |
==================



David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave () corecom com
843.689.5595
www.corecom.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards


____________________________________ ___________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: