RE: VPN concentrators

[Crispin Harris <Harris_C () DeMorgan com au>]

7.  inet--rtr---vpn---intfw--rtr(internal)
             `-extfw-'
8.  inet--rtr--extfw-+---intfw--rtr(internal)
                     `-vpn-'    (on third interface of internal firewall[1])

Bear in mind that this up's both the budget and the complexity somewhat. To
further 'up the ante', one firewall should be SPF (stateful packet filter,
or equivalent) and the other ALG (Application Layer Gateway, layer 4
proxies)[2]. 

I have had a number of clients for whom this style of architecture was the
only appropriate[4] design.

Regards,
        Crispin Harris

BTW: I tend to believe that 3 interfaces (out, in, side) is as few as a
corporate internet gateway can include, and I have had installations with as
many as 9 on two layers (out, in, between, web, partner, transaction,
vpn/remote_users, dns/mail, application). 

[1] This is building on the concept of Separation of Security Zones[3]. The
interface on which the VPN concentrator is terminated is also home to any
corporate dial-in pool, or Telco "Private IP networking" services.
[2] Most environments which require this sort of setup would also require
EAL4 (or equivalent) accreditations on the firewall devices.
[3] Mind blank on the correct term, been a while, but any good book on
traditional security architectures should be able to explain it.
[4] Read "Compliant".

-----Original Message-----
From: Patrick Darden [mailto:darden () armc org]
Sent: Wednesday, August 28, 2002 10:33 PM
To: Daniel Linder
Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] VPN concentrators



If you add up all the 2 cent disagreements with what I have stated, you
get a good buck fifty!  Some of it was from people who misunderstood what
was stated, but a good bit of it was made by people who understand the
issues, and simply disagree--sometimes for obvious reasons.

I think we can sum it up though (concentrating on vpn positioning):

1.  inet--rtr--firewall--vpn--firewall--internal        some recommend
2.  inet--rtr--vpn--internal                            only I recommend?
3.  inet--rtr--vpn--firewall--internal                  many recommend
4.  inet--rtr--firewall--vpn--dmz                       some recommend
5.  inet--rtr--vpn--vmz                                 only I recommend?
             --vpn--vmz                                 trust zones
             --vpn--internal
             --vpn--internal
6.  inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet
                                                        paranoid's dream

----------------------------------------------------

 This correspondence is for the named person's use only.  It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission.  If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender.  You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------