Firewall Wizards mailing list archives
RE: VPN concentrators
From: Patrick Darden <darden () armc org>
Date: Thu, 29 Aug 2002 08:18:03 -0400 (EDT)
7. Adding an additional rtr doesn't really do anything security-wise 8. throwing the vpn between 2 firewalls is illustrated in #1. Throwing in an additional router doesn't do anything security-wise. -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Thu, 29 Aug 2002, Crispin Harris wrote:
7. inet--rtr---vpn---intfw--rtr(internal) `-extfw-' 8. inet--rtr--extfw-+---intfw--rtr(internal) `-vpn-' (on third interface of internal firewall[1]) Bear in mind that this up's both the budget and the complexity somewhat. To further 'up the ante', one firewall should be SPF (stateful packet filter, or equivalent) and the other ALG (Application Layer Gateway, layer 4 proxies)[2]. I have had a number of clients for whom this style of architecture was the only appropriate[4] design. Regards, Crispin Harris BTW: I tend to believe that 3 interfaces (out, in, side) is as few as a corporate internet gateway can include, and I have had installations with as many as 9 on two layers (out, in, between, web, partner, transaction, vpn/remote_users, dns/mail, application). [1] This is building on the concept of Separation of Security Zones[3]. The interface on which the VPN concentrator is terminated is also home to any corporate dial-in pool, or Telco "Private IP networking" services. [2] Most environments which require this sort of setup would also require EAL4 (or equivalent) accreditations on the firewall devices. [3] Mind blank on the correct term, been a while, but any good book on traditional security architectures should be able to explain it. [4] Read "Compliant". -----Original Message----- From: Patrick Darden [mailto:darden () armc org] Sent: Wednesday, August 28, 2002 10:33 PM To: Daniel Linder Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] VPN concentrators If you add up all the 2 cent disagreements with what I have stated, you get a good buck fifty! Some of it was from people who misunderstood what was stated, but a good bit of it was made by people who understand the issues, and simply disagree--sometimes for obvious reasons. I think we can sum it up though (concentrating on vpn positioning): 1. inet--rtr--firewall--vpn--firewall--internal some recommend 2. inet--rtr--vpn--internal only I recommend? 3. inet--rtr--vpn--firewall--internal many recommend 4. inet--rtr--firewall--vpn--dmz some recommend 5. inet--rtr--vpn--vmz only I recommend? --vpn--vmz trust zones --vpn--internal --vpn--internal 6. inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet paranoid's dream
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN concentrators, (continued)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
- RE: VPN concentrators Crispin Harris (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators Brian Ford (Aug 27)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 27)
- RE: VPN concentrators R. DuFresne (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 29)
- RE: VPN concentrators R. DuFresne (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 30)
- RE: VPN concentrators Patrick Darden (Aug 29)