RE: Vpn concentrator - health care client

[Meidinger Chris <chris.meidinger () badenit de>]

comments inline

> Typically the VPN Concentrator is deployed in parallel with a 
> firewall.

If you use a VPN-Concentrator, then you should definately have it in a DMZ.

> Opening ports in your firewall should be avoided when 
> possible. 

In this case, you have to open udp500 and esp anyway, so you might as well
do it right on the firewall. If someone cracks your firewall, it doesn't
matter where the vpn-concentrator was. If you are not planning on using
RADIUS or some other kind of external auth, then you might want a
concentrator as well as a firewall. If you are using external auth then it's
not too evil to use a firewall for vpn. It's not like you have to open
management ports from the outside or anything.

> If you are
> going to use the concentrator anyway, deploy it outside the firewall. 

You were right the first time, parallel to the firewall is better.

> Alternatively, you could use the 501 to host a VPN. Remote users can
> establish a VPN connection and conncet to the web app. The 
> issue with this
> is that the remote users will require the Cisco VPN client. 

That's no difference to a cisco vpn-3000 in 'normal' mode. I assumed (i
know, that's a bad habit) that the original poster wanted to do a vpn with
cisco client.

> Also is the
> trust in remote clients, i.e. Do they have antivirus, usage 
> policies, etc.
> The VPN Concentrator overcomes those issues since it creates 
> a clientless
> SSL VPN and does not expose the internal network.

Depends on deployment, most people use cisco vpn's for L2TP/IPSec. The
Juniper or CheckPoint devices are better known (in my circles) for SSL-VPN.

Cheers,

Chris