Re: Placement of a VPN Appliance

[Jeffery.Gieser () minnesotamutual com]

We recently had the same issue where I work.  I decided to place the public
side of the VPN device on a dmz and the private side on our internal
network.  This was done for the following reasons.

1.  If every device has X number of vulnerabilities then having two devices
of different types on the internet gives us X + X number of different
vulnerabilities.

2.  The firewall really can't do much filtering for the VPN device for
ISAKMP, AH, or ESP but it can stop any other traffic from reaching the VPN
device that isn't one of these three protcols.

3.  I would place the public side of the VPN on the DMZ because I wouldn't
want potentially dirty traffic on my internal network befire it reached
it's checkpoint.

4.  Placing the private side of the VPN device in front of a firewall
defeats the purpose of a firewall since you usually want the people on the
other side of the VPN to have full access to your internal network.  My
firewall rules would look like swiss cheese if I did that.

Regards,
Jeffery Gieser


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards