Placement of a VPN Appliance

["Crist Clark" <crist.clark () globalstar com>]

Hypothetically:

You've got your wiz-bang-neato firewall machine. You've got a slick, new
VPN appliance. The vendor literature assumes that your VPN appliance, which
has a "public" and "private" interface, will be living on your border with
the public interface naked (or nearly so) on the 'Net and the private 
interface on your internal network. But we've already got a wiz-bang-neato
firewall. Assuming we trust the incoming VPN users (don't go there yet),
what would be wrong with putting a VPN appliance completely within your
border? For our VPN needs, we allow IPsec (proto 50 and 51) and ISAKMP 
(500/udp)[0] to the IP of the VPN appliance. There seems to be little risk 
in allowing this one stream of traffic into our network (as for what 
happens once the streams are unencrypted at the end of the tunnel...).

The primary "pros" of this setup are,

  - We still only have one machine to worry about living naked on the 'Net.
  - Easier conversion from our current setup since we do not need to 
    change connectivity of our border.

The major "cons" are,

  - Once a VPN user is authenticated an in, he or she is in. However,
    this is how the present VPN solution works, so it is status quo.
  - The VPN appliance expects to be on a border for some reason, and 
    this configuration confuses it.

To me, the best idea would be to put the public interface of the VPN
on the Internet and hook the private interface directly to an unused
interface on the firewall. However, distrust of VPN users shared 
by most security personnel is not shared by all network administrators
so the firewall restrictions one is allowed put on the incoming VPN users 
might be so weak as to be pointless. In that case, I would rather put
the whole appliance behind the firewall so one less box is exposed.

My real question comes back to the vendor's assumption that the VPN
device will be on a border. Is there some obvious reason I am missing
why putting the "public" interface behind the firewall on the private
net is bad? As I mentioned, the firewall will allow the traffic required 
by IPsec tunnels only to that one IP, so the rest of the network is put 
at little risk from that traffic. The real security concern from my point 
of view is what happens to the data in the VPN box and what comes out 
the private interface. If the private interface is naked on your internal
network, either configuration has the same exposure to authenticated
external users. Hiding the public interface behind the firewall just
adds an extra layer of protection should a vulnerability in the 
VPN appliance exist. So, why doesn't the vendor support that?

I am trying to decide which setup to fight for if I can't get my wish
to put some real filters between the authenticated users and the 
naked internal network. Thanks for any opinions.

[0] Oh, and there is that complete abomination of UDP encapsulated
IPsec we'll probably have to let through.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards