Firewall Wizards mailing list archives
Placement of a VPN Appliance
From: "Crist Clark" <crist.clark () globalstar com>
Date: Wed, 03 Jan 2001 16:20:31 -0800
Hypothetically: You've got your wiz-bang-neato firewall machine. You've got a slick, new VPN appliance. The vendor literature assumes that your VPN appliance, which has a "public" and "private" interface, will be living on your border with the public interface naked (or nearly so) on the 'Net and the private interface on your internal network. But we've already got a wiz-bang-neato firewall. Assuming we trust the incoming VPN users (don't go there yet), what would be wrong with putting a VPN appliance completely within your border? For our VPN needs, we allow IPsec (proto 50 and 51) and ISAKMP (500/udp)[0] to the IP of the VPN appliance. There seems to be little risk in allowing this one stream of traffic into our network (as for what happens once the streams are unencrypted at the end of the tunnel...). The primary "pros" of this setup are, - We still only have one machine to worry about living naked on the 'Net. - Easier conversion from our current setup since we do not need to change connectivity of our border. The major "cons" are, - Once a VPN user is authenticated an in, he or she is in. However, this is how the present VPN solution works, so it is status quo. - The VPN appliance expects to be on a border for some reason, and this configuration confuses it. To me, the best idea would be to put the public interface of the VPN on the Internet and hook the private interface directly to an unused interface on the firewall. However, distrust of VPN users shared by most security personnel is not shared by all network administrators so the firewall restrictions one is allowed put on the incoming VPN users might be so weak as to be pointless. In that case, I would rather put the whole appliance behind the firewall so one less box is exposed. My real question comes back to the vendor's assumption that the VPN device will be on a border. Is there some obvious reason I am missing why putting the "public" interface behind the firewall on the private net is bad? As I mentioned, the firewall will allow the traffic required by IPsec tunnels only to that one IP, so the rest of the network is put at little risk from that traffic. The real security concern from my point of view is what happens to the data in the VPN box and what comes out the private interface. If the private interface is naked on your internal network, either configuration has the same exposure to authenticated external users. Hiding the public interface behind the firewall just adds an extra layer of protection should a vulnerability in the VPN appliance exist. So, why doesn't the vendor support that? I am trying to decide which setup to fight for if I can't get my wish to put some real filters between the authenticated users and the naked internal network. Thanks for any opinions. [0] Oh, and there is that complete abomination of UDP encapsulated IPsec we'll probably have to let through. -- Crist J. Clark Network Security Engineer crist.clark () globalstar com Globalstar, L.P. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Placement of a VPN Appliance Crist Clark (Jan 03)
- <Possible follow-ups>
- RE: Placement of a VPN Appliance Ben Nagy (Jan 03)
- Re: Placement of a VPN Appliance Crist Clark (Jan 03)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- Re: Placement of a VPN Appliance Bill_Royds (Jan 04)
- RE: Placement of a VPN Appliance Stewart, John (Jan 04)
- RE: Placement of a VPN Appliance Bob . Eichler (Jan 04)
- RE: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- Re: Placement of a VPN Appliance dharris (Jan 04)
(Thread continues...)