RE: Opinions on VPN?

[dbovee () inetsec com (David Bovee)]

I think another architecture which is fairly common is implementing a
separate VPN box in parallel with a firewall. This presents the same
security, or more, as the "kitchen sink" claim espoused below.

Personally, I think FW+VPN is a great solution for a company whose
performance and business requirements dictate these features with an
accepted performance limit. The other thing that FW+VPN solves that many of
the other solutions do not, is NAT and VPN protocol compatibility. Let me
remind you that NAT and VPN are not very friendly when they're in the same
ring...

HTH,

-David

> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of Russ () cooper com
> Sent: Thursday, April 22, 1999 6:20 PM
> To: Andreas.Gunnarsson () emw ericsson se; firewall-wizards () nfr net
> Subject: RE: Opinions on VPN?
>
>
> Here's my take:
>
> The problem with a separate solution for VPN and FW is that
> somewhere in the
> setup will be a security hole.
>
> Internet --> VPN --> FW --> Corporate Net
>
> If you put the VPN gateway before the firewall, then the packets are
> decrypted before they are safe from hackers.
>
> Internet --> FW --> VPN --> Corporate Net
>
> Here the information is safely behind the firewall before it is decrypted,
> but there is an open door through the FW to the VPN.
>
> Now, if you have
>
> Internet --> FW+VPN --> Corporate Net
>
> The firewall can determine what packets are allowed through
> before and after
> encryption.  Encypted, unencrypted and decrypted packets can all be sent
> through the security policy.
>
> I think a really good solution would be the following:
>
> Internet --> FW --> DMZ zone with VPN gateway --> 2nd FW --> corporate net
>
> but who has money for this solution?
>
> I realize this is a little simplistic, but am I right in my analysis?
>
> Russ
>
> -----Original Message-----
> From: Andreas Gunnarsson [mailto:Andreas.Gunnarsson () emw ericsson se]
> Sent: Thursday, April 22, 1999 3:58 AM
> To: firewall-wizards () nfr net
> Subject: RE: Opinions on VPN?
>
>
> On Tue, 20 Apr 1999, dreamwvr wrote:
>
> > IMHO i have reservations about integrated vpns in firewalls what
> > are others opinions on this.. seems to me the firewall should do
> firewalling
> > not throw everything including the kitchen sink.. what is everyone elses
> > opinion here?
>
> I agree 100%. I want a firewall that does firewalling. I want to use the
> firewall to let www traffic through only from the web proxy, VPN only to
> the VPN gateway, SMTP only to the mail server etc. The firewall should
> take care of IP spoofing, bad IP packets and other IP-level issues,
> possibly NAT etc while the proxies are configured to securely deal with
> protocol issues.
>
> The more things that are integrated into the firewall the more corners
> there are for bugs to hide in. Of course, if you have a low budget and not
> too high security demands it might be a good idea to put several services
> in the same machine, but if you have high security demands a more modular
> firewall system should be considered.
>
>    Andreas
>
> ------------------------------------------------------------------
> ----------
> --
> Andreas Gunnarsson                                         Nat:
> 031-7476081
> andreas.gunnarsson () emw ericsson se                         Int: +46 31
> 7476081
> http://www.dd.chalmers.se/~zzlevo/                         Fax:
> 031-7473771