Re: VPN concentrators

[Patrick Darden <darden () armc org>]

If you add up all the 2 cent disagreements with what I have stated, you
get a good buck fifty!  Some of it was from people who misunderstood what
was stated, but a good bit of it was made by people who understand the
issues, and simply disagree--sometimes for obvious reasons.

I think we can sum it up though (concentrating on vpn positioning):

1.  inet--rtr--firewall--vpn--firewall--internal        some recommend
2.  inet--rtr--vpn--internal                            only I recommend?
3.  inet--rtr--vpn--firewall--internal                  many recommend
4.  inet--rtr--firewall--vpn--dmz                       some recommend
5.  inet--rtr--vpn--vmz                                 only I recommend?
             --vpn--vmz                                 trust zones
             --vpn--internal
             --vpn--internal
6.  inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet
                                                        paranoid's dream


rtr is understood to be a bastion/edge router with appropriate acls to
stop eggregious traffic such as ddos, dos, spoofs, tears, etc.

vmz is understood to be a vendor only zone, where the vendors are
responsible for the security and administration of their servers and other
machinery.

firewall, in this diagram, is understood to be a black box such as a
Checkpoint Firewall-1 that has an educated and attentive administrator.

Any that I missed?

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards