Firewall Wizards mailing list archives
RE: Opinions on VPN?
From: dbovee () inetsec com (David Bovee)
Date: Fri, 23 Apr 1999 19:41:10 -0700
I think another architecture which is fairly common is implementing a separate VPN box in parallel with a firewall. This presents the same security, or more, as the "kitchen sink" claim espoused below. Personally, I think FW+VPN is a great solution for a company whose performance and business requirements dictate these features with an accepted performance limit. The other thing that FW+VPN solves that many of the other solutions do not, is NAT and VPN protocol compatibility. Let me remind you that NAT and VPN are not very friendly when they're in the same ring... HTH, -David
-----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]On Behalf Of Russ () cooper com Sent: Thursday, April 22, 1999 6:20 PM To: Andreas.Gunnarsson () emw ericsson se; firewall-wizards () nfr net Subject: RE: Opinions on VPN? Here's my take: The problem with a separate solution for VPN and FW is that somewhere in the setup will be a security hole. Internet --> VPN --> FW --> Corporate Net If you put the VPN gateway before the firewall, then the packets are decrypted before they are safe from hackers. Internet --> FW --> VPN --> Corporate Net Here the information is safely behind the firewall before it is decrypted, but there is an open door through the FW to the VPN. Now, if you have Internet --> FW+VPN --> Corporate Net The firewall can determine what packets are allowed through before and after encryption. Encypted, unencrypted and decrypted packets can all be sent through the security policy. I think a really good solution would be the following: Internet --> FW --> DMZ zone with VPN gateway --> 2nd FW --> corporate net but who has money for this solution? I realize this is a little simplistic, but am I right in my analysis? Russ -----Original Message----- From: Andreas Gunnarsson [mailto:Andreas.Gunnarsson () emw ericsson se] Sent: Thursday, April 22, 1999 3:58 AM To: firewall-wizards () nfr net Subject: RE: Opinions on VPN? On Tue, 20 Apr 1999, dreamwvr wrote:IMHO i have reservations about integrated vpns in firewalls what are others opinions on this.. seems to me the firewall should dofirewallingnot throw everything including the kitchen sink.. what is everyone elses opinion here?I agree 100%. I want a firewall that does firewalling. I want to use the firewall to let www traffic through only from the web proxy, VPN only to the VPN gateway, SMTP only to the mail server etc. The firewall should take care of IP spoofing, bad IP packets and other IP-level issues, possibly NAT etc while the proxies are configured to securely deal with protocol issues. The more things that are integrated into the firewall the more corners there are for bugs to hide in. Of course, if you have a low budget and not too high security demands it might be a good idea to put several services in the same machine, but if you have high security demands a more modular firewall system should be considered. Andreas ------------------------------------------------------------------ ---------- -- Andreas Gunnarsson Nat: 031-7476081 andreas.gunnarsson () emw ericsson se Int: +46 31 7476081 http://www.dd.chalmers.se/~zzlevo/ Fax: 031-7473771
Current thread:
- RE: Opinions on VPN?, (continued)
- RE: Opinions on VPN? Litney, Tom (Apr 20)
- Re: Opinions on VPN? Philip S Holt, Security Engineer / Network Engineer (Apr 21)
- RE: Opinions on VPN? John McDonald (Apr 20)
- RE: Opinions on VPN? dreamwvr (Apr 21)
- RE: Opinions on VPN? Andreas Gunnarsson (Apr 22)
- RE: Opinions on VPN? dreamwvr (Apr 21)
- RE: Opinions on VPN? Dendeni, Iyes (Apr 21)
- RE: Opinions on VPN? Litney, Tom (Apr 21)
- RE: Opinions on VPN? Russ (Apr 21)
- Re: Opinions on VPN? Rodney van den Oever (Apr 22)
- RE: Opinions on VPN? Russ (Apr 23)
- RE: Opinions on VPN? David Bovee (Apr 24)
- RE: Opinions on VPN? dreamwvr (Apr 25)
- RE: Opinions on VPN? David Bovee (Apr 24)
- Re: Opinions on VPN? Robert Graham (Apr 24)
- Re: Opinions on VPN? myles (Apr 29)
- Re: Opinions on VPN? Joseph S D Yao (Apr 29)
- Re: Opinions on VPN? myles (Apr 29)
- RE: Opinions on VPN? TC Wolsey (Apr 24)
- RE: Opinions on VPN? Litney, Tom (Apr 20)