RE: Opinions on VPN?

["Litney, Tom" <TLitney () caiso com>]

Hi dream,

  I incorporated a similar design in a previous incarnation.  Keep in mind
that it really depends on the business case.  The downside in this design is
that the "secret" data is in clear text on the firewall while it is being
evaluated.  Thereby making it available to anyone with firewall access (good
guys or bad guys).  In the banking community this information can be account
numbers and "secret" passwords.  Or in business implementations it could be
credit card information, etc.  Using the "need to know" principal do these
folks have a need to know this information?  I struggled with this design
for a while - decrypt on the firewall or allow encrypted traffic through.
There are risks either way.  Your mileage may vary; only your business case
knows for sure.

          Tom

> hi,
>   great thread! to elaborate IMHO it should be done in parallel with the 
> firewall. like below...


> Internet -------| BastionA |-------------[ Int Net ]
>
>                | BastionA | 
>                     |
> VPN-------------- VPN GW
> that way all traffic going out us evaluated by firewall then
> pours out the interface dedicated to VPN GW where it is encrypted 
> and sent along its merry way. incoming VPN GW handles only VPN 
> traffic and once reverse engineered ;-) decrypted it is evaluated 
> by the firewall before continuing any further. the top Internet 
> side interface handles all other internet traffic flow period..
> well FWIW that is my opinion:-)
>                                                       Regards,
dreamwvr () dreamwvr com