RE: VPN concentrators

[Patrick Darden <darden () armc org>]

7.  Adding an additional rtr doesn't really do anything security-wise
8.  throwing the vpn between 2 firewalls is illustrated in #1.  Throwing
in an additional router doesn't do anything security-wise.

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Thu, 29 Aug 2002, Crispin Harris wrote:

> 7.  inet--rtr---vpn---intfw--rtr(internal)
>              `-extfw-'
> 8.  inet--rtr--extfw-+---intfw--rtr(internal)
>                      `-vpn-'    (on third interface of internal firewall[1])
>
> Bear in mind that this up's both the budget and the complexity somewhat. To
> further 'up the ante', one firewall should be SPF (stateful packet filter,
> or equivalent) and the other ALG (Application Layer Gateway, layer 4
> proxies)[2]. 
>
> I have had a number of clients for whom this style of architecture was the
> only appropriate[4] design.
>
> Regards,
>       Crispin Harris
>
> BTW: I tend to believe that 3 interfaces (out, in, side) is as few as a
> corporate internet gateway can include, and I have had installations with as
> many as 9 on two layers (out, in, between, web, partner, transaction,
> vpn/remote_users, dns/mail, application). 
>
> [1] This is building on the concept of Separation of Security Zones[3]. The
> interface on which the VPN concentrator is terminated is also home to any
> corporate dial-in pool, or Telco "Private IP networking" services.
> [2] Most environments which require this sort of setup would also require
> EAL4 (or equivalent) accreditations on the firewall devices.
> [3] Mind blank on the correct term, been a while, but any good book on
> traditional security architectures should be able to explain it.
> [4] Read "Compliant".
>
> -----Original Message-----
> From: Patrick Darden [mailto:darden () armc org]
> Sent: Wednesday, August 28, 2002 10:33 PM
> To: Daniel Linder
> Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com
> Subject: Re: [fw-wiz] VPN concentrators
>
>
>
> If you add up all the 2 cent disagreements with what I have stated, you
> get a good buck fifty!  Some of it was from people who misunderstood what
> was stated, but a good bit of it was made by people who understand the
> issues, and simply disagree--sometimes for obvious reasons.
>
> I think we can sum it up though (concentrating on vpn positioning):
>
> 1.  inet--rtr--firewall--vpn--firewall--internal      some recommend
> 2.  inet--rtr--vpn--internal                          only I recommend?
> 3.  inet--rtr--vpn--firewall--internal                        many recommend
> 4.  inet--rtr--firewall--vpn--dmz                     some recommend
> 5.  inet--rtr--vpn--vmz                                       only I recommend?
>              --vpn--vmz                                 trust zones
>              --vpn--internal
>              --vpn--internal
> 6.  inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet
>                                                       paranoid's dream

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards