RE: VPN architecture for POCKET PC

["Gary Freeman" <Gary.Freeman () rci rogers com>]

Hi Hassan,

I would place the VPN concentrator into the presentment DMZ and only
allow access to the VPN device from ANY using Protocol 50 and UDP 500.
Users connecting can get a local address from a routable address pool
within your DMZ and then have the VPN assign a routing table to allow
them to only access addresses that are on your LAN via the inside
interface on the presentment firewall.  The second firewall, facing your
LAN can then permit only the VPN pool addresses in and NAT them to
services on the inside.

Gary Freeman
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************


-----Original Message-----
From: hassan hani [mailto:amni___ () hotmail com] 
Sent: Tuesday, November 30, 2004 1:37 PM
To: security-basics () securityfocus com
Subject: VPN architecture for POCKET PC


we have tHIS ARCHITECTURE in our network


LAN -------------FW1 ----------FW2------------Internet
                               |
                               |
                              dMZ



we want to implement a vpn for a usage only between a server in the LAN
and 
the Pocket PC .

the pocket PC sould be connected to GPRS .

my question is:

where the VPN Gateway should be placed in the architecture above to
permit 
security?

how to be sure that there will be no intrusion?