Firewall Wizards mailing list archives
Re: VPN endpoints
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Wed, 25 Aug 2004 16:01:57 +0100
It really depends upon a risk assessment particular to your needs.If you consider the remote users to be equally trusted as your internal users, the authenitcation provided by the VPN products to be sufficient to mitigate spoofing, and the encryption strength to be sufficient from both a crypto and end-point attack, then you can pretty much connect the VPNs to the internal LAN.
However, most organisations will view remote connections as being less trusted. This is often due to the unknown state of the remote workstation and concerns over the trust placed in the authentication mechanisms. From that perspective you'd be better off protecting the VPN end-point, and the internal LAN, by terminating the VPNs in a DMZ and restricting the access remote workstations get to the internal network.
When considering your options, think about what actual network and information access the remote users require. If it's full connectivity (as if they were local users) then you'll want to ensure that the authentication and encryption technologies meet your requirements for security.
Kev
We are planning to put a VPN endpoint at our site for remote access. We know nothing about the remote client computers, we just provide an authentication mechanism for the users. The question concerns where we put the VPN endpoint on our network.I figure it this way: 2 VPN device interfaces, either of which can go outside the firewall, on a DMZ, or inside the firewall. That gives us 9 possible arrangements, some of which are ridiculous, but fun to consider. We came down to two configurations.One approach is putting the internal interface on a DMZ. The other approach is to have the VPN bypass the firewall entirely. I am looking for advice on which approach is better, and reasons why.hermit921 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NAPT - NAT Port selection ravivsn (Aug 20)
- RE: NAPT - NAT Port selection Bill Royds (Aug 20)
- RE: NAPT - NAT Port selection Orca (Aug 22)
- Re: NAPT - NAT Port selection Srini (Aug 22)
- VPN endpoints hermit921 (Aug 25)
- Re: VPN endpoints Kevin Sheldrake (Aug 26)
- Re: VPN endpoints Mason Schmitt (Aug 26)
- VPN endpoints hermit921 (Aug 25)
- Re: NAPT - NAT Port selection Devdas Bhagat (Aug 22)
- Re: NAPT - NAT Port selection Harald Welte (Aug 25)