Firewall Wizards mailing list archives
RE: Opinions on VPN?
From: "TC Wolsey" <twolsey () realtech com>
Date: Fri, 23 Apr 1999 14:12:31 -0400
The biggest problem with the first diagram is discriminating the traffic that is decrypted at the VPN from any other inbound traffic. As you point out, the second keeps the traffic private until it is behind your security perimeter, but then the VPN users have the run of the network on the inside interface of the firewall. If this is what you want, then you would probably want to take cautions with the VPN device that would be similar to placing a specific service machine on a service network. (eg. a mail relay) If you can only access the single service on the VPN host and that service does the Right Thing only, you might sleep at night. I like the idea of putting the outside interface of the VPN device on a service network by itself and filtering the traffic destined for the device at the firewall (only let in ESP, IKE, maybe ICMP echo; maybe let out HTTP or LDAP for cert requests). Put the inside interface on a separate service network on the firewall. Traffic is still priva! te until it is in your perimeter, but the clear side traffic must conform to your policy for VPN access which is implemented at the firewall interface. This setup has the added benefit of isolating the traffic that is used to manage the VPN device according to your policy as well. Some implementations use HTTP or SNMP for management, and auditing capability on the implementations that I have worked with is generally awful. :-( --tcw
<Russ () cooper com> 04/22/99 09:19PM >>>
Here's my take: The problem with a separate solution for VPN and FW is that somewhere in the setup will be a security hole. Internet --> VPN --> FW --> Corporate Net If you put the VPN gateway before the firewall, then the packets are decrypted before they are safe from hackers. Internet --> FW --> VPN --> Corporate Net Here the information is safely behind the firewall before it is decrypted, but there is an open door through the FW to the VPN. Now, if you have Internet --> FW+VPN --> Corporate Net The firewall can determine what packets are allowed through before and after encryption. Encypted, unencrypted and decrypted packets can all be sent through the security policy. I think a really good solution would be the following: Internet --> FW --> DMZ zone with VPN gateway --> 2nd FW --> corporate net but who has money for this solution? I realize this is a little simplistic, but am I right in my analysis? Russ -----Original Message----- From: Andreas Gunnarsson [mailto:Andreas.Gunnarsson () emw ericsson se] Sent: Thursday, April 22, 1999 3:58 AM To: firewall-wizards () nfr net Subject: RE: Opinions on VPN? On Tue, 20 Apr 1999, dreamwvr wrote:
IMHO i have reservations about integrated vpns in firewalls what are others opinions on this.. seems to me the firewall should do
firewalling
not throw everything including the kitchen sink.. what is everyone elses opinion here?
I agree 100%. I want a firewall that does firewalling. I want to use the firewall to let www traffic through only from the web proxy, VPN only to the VPN gateway, SMTP only to the mail server etc. The firewall should take care of IP spoofing, bad IP packets and other IP-level issues, possibly NAT etc while the proxies are configured to securely deal with protocol issues. The more things that are integrated into the firewall the more corners there are for bugs to hide in. Of course, if you have a low budget and not too high security demands it might be a good idea to put several services in the same machine, but if you have high security demands a more modular firewall system should be considered. Andreas ---------------------------------------------------------------------------- -- Andreas Gunnarsson Nat: 031-7476081 andreas.gunnarsson () emw ericsson se Int: +46 31 7476081 http://www.dd.chalmers.se/~zzlevo/ Fax: 031-7473771
Current thread:
- RE: Opinions on VPN?, (continued)
- RE: Opinions on VPN? Dendeni, Iyes (Apr 21)
- RE: Opinions on VPN? Litney, Tom (Apr 21)
- RE: Opinions on VPN? Russ (Apr 21)
- Re: Opinions on VPN? Rodney van den Oever (Apr 22)
- RE: Opinions on VPN? Russ (Apr 23)
- RE: Opinions on VPN? David Bovee (Apr 24)
- RE: Opinions on VPN? dreamwvr (Apr 25)
- RE: Opinions on VPN? David Bovee (Apr 24)
- Re: Opinions on VPN? Robert Graham (Apr 24)
- Re: Opinions on VPN? myles (Apr 29)
- Re: Opinions on VPN? Joseph S D Yao (Apr 29)
- Re: Opinions on VPN? myles (Apr 29)
- RE: Opinions on VPN? TC Wolsey (Apr 24)