Firewall Wizards mailing list archives
RE: VPN concentrators
From: "Ben Nagy" <ben () iagu net>
Date: Thu, 29 Aug 2002 09:34:10 +0200
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Patrick Darden
[...]
If you add up all the 2 cent disagreements with what I have stated, you get a good buck fifty! Some of it was from people who misunderstood what was stated, but a good bit of it was made by people who understand the issues, and simply disagree--sometimes for obvious reasons. I think we can sum it up though (concentrating on vpn positioning):
[...] This thread is one of the regulars, and I think that a fairly strong idea of the usual opinions has been shown up again. I summarise the setups a bit differently, and just look at what's before and after the VPN gateway. If you're mad, you'll put fiddly bits before, like extra firewalls, blah, blah blah. There usually isn't very spirited argument with the assertion that a firewall can't do very much at all useful to filter traffic before it hits the VPN box. Your basic bastion router idea is all that would ever be required, because if it can't be detected by a simple packet filter then it's too much work to worry about it - the VPN box will drop it, and do so with crypto acceleration. Putting bits after is often recommended, and people have a million ideas about where to plug those little blue cables. Connecting the inside of the VPN box straight to the internal network makes some sense if you completely trust all users that have authenticated to the VPN box, such as a "normal" corporate RAS replacement. All the other mad scientist schemes (connecting to another interface on the fw, having a new firewall, running each packet through to the mail room so that it can be printed out and date stamped etc etc etc) arise from varying degrees of paranoia, which should be properly matched to the varying degrees of distrust in the VPN users. Essentially, it can't cost; and my _personal_ favourite is nothing before and using a spare FW interface after, even for fully trusted schemes - you can always enforce no rules to start with, but you have the capability of adding some later. I really don't like terminating VPN traffic in a "normal" multipurpose DMZ, though. That's just shopping for trouble. VPN traffic should have it's own interface/firewall/"load balanced security gateway solution". In fact, when doing assessment or designs I internally parse down to only three of the many drawings you summarised with: net--vpn--internal == OK for fully trusted net--vpn--firewall == Better for flexible policy net--spaghetti--vpn--spaghetti-internal == Fancypants lunacy that probably looked good on a whiteboard
rtr is understood to be a bastion/edge router with appropriate acls to stop eggregious traffic such as ddos, dos, spoofs, tears, etc.
[...]
-- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center
Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN concentrators, (continued)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators m p (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators R. DuFresne (Aug 27)