RE: Opinions on VPN?

["TC Wolsey" <twolsey () realtech com>]

The biggest problem with the first diagram is discriminating the traffic that is decrypted at the VPN from any other 
inbound traffic. As you point out, the second keeps the traffic private until it is behind your security perimeter, but 
then the VPN users have the run of the network on the inside interface of the firewall. If this is what you want, then 
you would probably want to take cautions with the VPN device that would be similar to placing a specific service 
machine on a service network. (eg. a mail relay) If you can only access the single service on the VPN host and that 
service does the Right Thing only, you might sleep at night. I like the idea of putting the outside interface of the 
VPN device on a service network by itself and filtering the traffic destined for the device at the firewall (only let 
in ESP, IKE, maybe ICMP echo; maybe let out HTTP or LDAP for cert requests). Put the inside interface on a separate 
service network on the firewall. Traffic is still priva!
te until it is in your perimeter, but the clear side traffic must conform to your policy for VPN access which is 
implemented at the firewall interface. This setup has the added benefit of isolating the traffic that is used to manage 
the VPN device according to your policy as well. Some implementations use HTTP or SNMP for management, and auditing 
capability on the implementations that I have worked with is generally awful. :-(

--tcw

> > > <Russ () cooper com> 04/22/99 09:19PM >>>
Here's my take:

The problem with a separate solution for VPN and FW is that somewhere in the
setup will be a security hole.

Internet --> VPN --> FW --> Corporate Net

If you put the VPN gateway before the firewall, then the packets are
decrypted before they are safe from hackers.

Internet --> FW --> VPN --> Corporate Net

Here the information is safely behind the firewall before it is decrypted,
but there is an open door through the FW to the VPN.

Now, if you have

Internet --> FW+VPN --> Corporate Net

The firewall can determine what packets are allowed through before and after
encryption.  Encypted, unencrypted and decrypted packets can all be sent
through the security policy.

I think a really good solution would be the following:

Internet --> FW --> DMZ zone with VPN gateway --> 2nd FW --> corporate net

but who has money for this solution?

I realize this is a little simplistic, but am I right in my analysis?

Russ

-----Original Message-----
From: Andreas Gunnarsson [mailto:Andreas.Gunnarsson () emw ericsson se] 
Sent: Thursday, April 22, 1999 3:58 AM
To: firewall-wizards () nfr net 
Subject: RE: Opinions on VPN?


On Tue, 20 Apr 1999, dreamwvr wrote:

> IMHO i have reservations about integrated vpns in firewalls what
> are others opinions on this.. seems to me the firewall should do
firewalling 
> not throw everything including the kitchen sink.. what is everyone elses
> opinion here?

I agree 100%. I want a firewall that does firewalling. I want to use the
firewall to let www traffic through only from the web proxy, VPN only to
the VPN gateway, SMTP only to the mail server etc. The firewall should
take care of IP spoofing, bad IP packets and other IP-level issues,
possibly NAT etc while the proxies are configured to securely deal with
protocol issues.

The more things that are integrated into the firewall the more corners
there are for bugs to hide in. Of course, if you have a low budget and not
too high security demands it might be a good idea to put several services
in the same machine, but if you have high security demands a more modular
firewall system should be considered.

   Andreas

----------------------------------------------------------------------------
--
Andreas Gunnarsson                                         Nat:
031-7476081
andreas.gunnarsson () emw ericsson se                         Int: +46 31
7476081
http://www.dd.chalmers.se/~zzlevo/                         Fax:
031-7473771