Re: VPN concentrators

[Daniel Linder <dan_linder () yahoo com>]

On Mon, 26 Aug 2002 scouser () paradise net nz wrote:
> Off topic slightly, sorry.
> Current best thinking is to terminate VPN tunnels inside an
> external firewall on a DMZ, then traffic can be passed back
> through this or another firewall before entering the internal
> network.
>
> Complexity can lead to vulnerabilities, so what are peoples
> thoughts on termination of vpn tunnels on the firewall itself?
> What are the  pros and cons as  you see them?

--- Patrick Darden <darden () armc org> wrote:
> I don't agree.  Putting authenticated and authorized traffic through
a
> firewall is redundant.  IPSEC traffic is trusted traffic.  A VPN is
an
> extension of your network--it is as trusted as any traffic internal
to
> your network--perhaps more, as it can be completely accounted
> for--remember that every packet has a confirmed sip, dip, and
payload.
> Here is the current best thinking, to my knowledge:
[Diagram of a VPN router /parallel/ to a firewall removed. --Dan]

Ok, then I'll add in my two cents to this discussion and disagree with
Mr. Darden. :)

In my network designs, I always try to incorporate a firewall with
three NICs: Outside, Inside, and DMZ.  When the VPN concentrator is put
in place, it resides in the DMZ segment.  This way I can have at least
two layers ensuring that traffic that originated at a remote location
(i.e. the VPN client computer) will first have to pass through the VPN
concentrator, and then pass through the firewall.

-- If you are on an extremely tight budget *AND* your network load is
light enough *AND* your have complete confidance in the security
awareness of your staff supporting the device, then a single
Firewall/VPN concentrator could be the answer.  (Personally, I don't
recommend this to any of my customers unless their budget constraint is
overwhelming and/or they can't/won't add another server to the mix.)

-- If you have a larger budget and a requirement to have multiple
layers of security, then a VPN which resides completely on the DMZ
might be the correct sollution for you.

-- For high-usage VPNs, I would use a quasi-parallel setup.  The
outside NIC of the firewall and VPN are in parallel, but the inside
interface of the VPN terminates on the DMZ subnet.  This way the
firewall can still restrict traffic bound for the inside network, and
the only real exposure is to the DMZ servers (but this too can be
clamped down with an ACL on the VPN itself).

Dan


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards