RE: looking for a hub or switch that can connect a VPN and apply firewallrules to all ports

["David Gillett" <gillettdavid () fhda edu>]

  So your clients' Internet traffic doesn't go through the VPN?
(If it did, all the ISP would see is the encrypted tunnel...)

  It sounds to me like the clients' Internet traffic is NATted
at the router, and the VPN is irrelevant.  So your choices are:

1) Police your own network so the ISP doesn't see things they 
shouldn't (*), or 

2) Purchase routable address space so each of your clients has 
their own visible address.  I'm sure the ISP will be glad to
handle the technical details in exchange for a reasonable 
monthly charge.


* - This suggestion will rub some folks the wrong way.  I'm 
guessing that this is a branch office setup with VPN back to 
HQ, and that when a client's Internet traffic prompts the ISP
to pull the plug, the whole office loses connectivity to HQ.
So if users cannot limit their use to things compatible with
the needs of the business, the business doesn't provide them
with Internet access -- or a paycheque.  Deal with it.

David Gillett


> -----Original Message-----
> From: Thomas Anderson [mailto:zelnaga () gmail com] 
> Sent: Thursday, August 13, 2009 1:00 PM
> To: security-basics () securityfocus com
> Subject: looking for a hub or switch that can connect a VPN 
> and apply firewallrules to all ports
>
> Right now, I have maybe 10-20 computers plugged into a VPN 
> enabled router.  Problem with this setup is that if one 
> computer behind the router does something "bad" all the 
> computers behind the router suffer the consequences if the 
> ISP decides to disable the connection, temporarily or 
> otherwise.  Normally, the way to work around this would be to 
> just get a hub or a switch and connect through that, however, 
> if that's done, all the computers would have to have VPN 
> software installed on them and managing 10-20 computers is 
> much more of a logistical challenge than managing one router.
>
> The ideal solution, it seems to me, would be a switch that 
> connects each port, individually, to the VPN.  If firewall 
> rules could be applied universally to all ports, as well, 
> that'd be helpful.
>
> Any ideas?
>
> --------------------------------------------------------------
> ----------
> Securing Apache Web Server with thawte Digital Certificate In 
> this guide we examine the importance of Apache-SSL and who 
> needs an SSL certificate.  We look at how SSL works, how it 
> benefits your company and how your customers can tell if a 
> site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache 
> web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management 
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;
> e13b6be442f727d1
> --------------------------------------------------------------
> ----------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------