Firewall Wizards mailing list archives
Re: VPN concentrators
From: Daniel Linder <dan_linder () yahoo com>
Date: Tue, 27 Aug 2002 19:04:12 -0700 (PDT)
On Mon, 26 Aug 2002 scouser () paradise net nz wrote:
Off topic slightly, sorry. Current best thinking is to terminate VPN tunnels inside an external firewall on a DMZ, then traffic can be passed back through this or another firewall before entering the internal network. Complexity can lead to vulnerabilities, so what are peoples thoughts on termination of vpn tunnels on the firewall itself? What are the pros and cons as you see them?
--- Patrick Darden <darden () armc org> wrote:
I don't agree. Putting authenticated and authorized traffic through
a
firewall is redundant. IPSEC traffic is trusted traffic. A VPN is
an
extension of your network--it is as trusted as any traffic internal
to
your network--perhaps more, as it can be completely accounted for--remember that every packet has a confirmed sip, dip, and
payload.
Here is the current best thinking, to my knowledge:
[Diagram of a VPN router /parallel/ to a firewall removed. --Dan] Ok, then I'll add in my two cents to this discussion and disagree with Mr. Darden. :) In my network designs, I always try to incorporate a firewall with three NICs: Outside, Inside, and DMZ. When the VPN concentrator is put in place, it resides in the DMZ segment. This way I can have at least two layers ensuring that traffic that originated at a remote location (i.e. the VPN client computer) will first have to pass through the VPN concentrator, and then pass through the firewall. -- If you are on an extremely tight budget *AND* your network load is light enough *AND* your have complete confidance in the security awareness of your staff supporting the device, then a single Firewall/VPN concentrator could be the answer. (Personally, I don't recommend this to any of my customers unless their budget constraint is overwhelming and/or they can't/won't add another server to the mix.) -- If you have a larger budget and a requirement to have multiple layers of security, then a VPN which resides completely on the DMZ might be the correct sollution for you. -- For high-usage VPNs, I would use a quasi-parallel setup. The outside NIC of the firewall and VPN are in parallel, but the inside interface of the VPN terminates on the DMZ subnet. This way the firewall can still restrict traffic bound for the inside network, and the only real exposure is to the DMZ servers (but this too can be clamped down with an ACL on the VPN itself). Dan __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN concentrators, (continued)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)