RE: Placement of a VPN Appliance

[Bob.Eichler () ual com]

Thank you all for validating a design I recommended; 
Putting the "external" side of the VPN on the DMZ, and putting the
"internal" side on an unused NIC on the firewall.   

The thought process was
1. Filter the "junk" hitting the VPN ( Mr. Geiser already elaborated on
this clearly )

2. Allow for that future flexibility with "semi-trusted partners"
elaborated upon by Mr. Nagy. 

Sometimes you "know" what your doing... but it still feels good to get
that last bit of confirmation. :-)

Bob Eichler 
United Airlines - Information Security

   ----------
   From:       Bill.Royds
   Sent:       Thursday, January 04, 2001 10:43 AM
   To:         crist.clark
   Cc:         Bill.Royds; firewall-wizards
   Subject:    Re: [fw-wiz] Placement of a VPN Appliance
   
   We are implementing a safer variation on this theme.
   We put the "internal" termination end of the VPN appliance on a
   separate
   isolated segment that has a NIC on the firewall.
   The "external" end still connects to the Internet but only runs
   ISAKMP and ESD.
   Once the traffic is decrypted, it still has to pass through the
   firewall (proxy
   type) for validation before it can enter into internal space.  It
   might even be
   re-encrypted after inspection to protect it from internal snooping
   but it does
   allow a valiadation and control point on network flow.
   
   
   
   
   "Crist Clark" <crist.clark () globalstar com> on 01/03/2001 07:20:31 PM
                                                                 
                                                                 
                                                                 
    To:      firewall-wizards () nfr com                            
                                                                 
    cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
                                                                 
                                                                 
                                                                 
    Subject: [fw-wiz] Placement of a VPN Appliance               
                                                                 
   
   
   
   
   
   Hypothetically:
   
   You've got your wiz-bang-neato firewall machine. You've got a slick,
   new
   VPN appliance. The vendor literature assumes that your VPN appliance,
   which
   has a "public" and "private" interface, will be living on your border
   with
   the public interface naked (or nearly so) on the 'Net and the private
   interface on your internal network. But we've already got a
   wiz-bang-neato
   firewall. Assuming we trust the incoming VPN users (don't go there
   yet),
   what would be wrong with putting a VPN appliance completely within
   your
   border? For our VPN needs, we allow IPsec (proto 50 and 51) and
   ISAKMP
   (500/udp)[0] to the IP of the VPN appliance. There seems to be little
   risk
   in allowing this one stream of traffic into our network (as for what
   happens once the streams are unencrypted at the end of the
   tunnel...).
   
   The primary "pros" of this setup are,
   
     - We still only have one machine to worry about living naked on the
   'Net.
     - Easier conversion from our current setup since we do not need to
       change connectivity of our border.
   
   The major "cons" are,
   
     - Once a VPN user is authenticated an in, he or she is in. However,
       this is how the present VPN solution works, so it is status quo.
     - The VPN appliance expects to be on a border for some reason, and
       this configuration confuses it.
   
   To me, the best idea would be to put the public interface of the VPN
   on the Internet and hook the private interface directly to an unused
   interface on the firewall. However, distrust of VPN users shared
   by most security personnel is not shared by all network
   administrators
   so the firewall restrictions one is allowed put on the incoming VPN
   users
   might be so weak as to be pointless. In that case, I would rather put
   the whole appliance behind the firewall so one less box is exposed.
   
   My real question comes back to the vendor's assumption that the VPN
   device will be on a border. Is there some obvious reason I am missing
   why putting the "public" interface behind the firewall on the private
   net is bad? As I mentioned, the firewall will allow the traffic
   required
   by IPsec tunnels only to that one IP, so the rest of the network is
   put
   at little risk from that traffic. The real security concern from my
   point
   of view is what happens to the data in the VPN box and what comes out
   the private interface. If the private interface is naked on your
   internal
   network, either configuration has the same exposure to authenticated
   external users. Hiding the public interface behind the firewall just
   adds an extra layer of protection should a vulnerability in the
   VPN appliance exist. So, why doesn't the vendor support that?
   
   I am trying to decide which setup to fight for if I can't get my wish
   to put some real filters between the authenticated users and the
   naked internal network. Thanks for any opinions.
   
   [0] Oh, and there is that complete abomination of UDP encapsulated
   IPsec we'll probably have to let through.
   --
   Crist J. Clark                                Network Security
   Engineer
   crist.clark () globalstar com                    Globalstar, L.P.
   
   
   
   
   
   
   _______________________________________________
   firewall-wizards mailing list
   firewall-wizards () nfr com
   http://www.nfr.com/mailman/listinfo/firewall-wizards
   
   
   

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards