RE: Placement of a VPN Appliance

[Ben Nagy <ben.nagy () marconi com au>]

> -----Original Message-----
> From: Jeffery.Gieser () minnesotamutual com
> [mailto:Jeffery.Gieser () minnesotamutual com]
> Sent: Friday, 5 January 2001 1:33 
> To: Crist Clark; firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Placement of a VPN Appliance
>
>
>
> We recently had the same issue where I work.  I decided to 
> place the public
> side of the VPN device on a dmz and the private side on our internal
> network.  This was done for the following reasons.
>
> 1.  If every device has X number of vulnerabilities then 
> having two devices
> of different types on the internet gives us X + X number of different
> vulnerabilities.

You've lost the plot, Jeff! 8) Remember set theory? It's perfectly possible
for both devices to have five holes - except they're all the same, therefore
there are only 5 total holes. 

Even if you argue that boxA->vul1 is _different_ to boxB->vul1 then I'd
argue that they're equivalent anyway since the impact of compromise for
either is the same - ie exploiting both doesn't make the security breach any
worse.

> 2.  The firewall really can't do much filtering for the VPN device for
> ISAKMP, AH, or ESP but it can stop any other traffic from 
> reaching the VPN
> device that isn't one of these three protcols.

You have a point here, but according to "The Brochure" for all the VPN
appliances I've seen, the dirty interface silently drops any non IKE/AH/ESP
traffic anyway. It's not like it's hard to audit that hypothesis when
installing one into production...

> 3.  I would place the public side of the VPN on the DMZ 
> because I wouldn't
> want potentially dirty traffic on my internal network befire 
> it reached
> it's checkpoint.

But, but, but...You _have_ got dirty traffic feeding straight into your
network! Any VPN tunneled traffic isn't being inspected by your firewall at
all. Yes, you need to authenticate first - but that's your only method of
protection with your setup.

> 4.  Placing the private side of the VPN device in front of a firewall
> defeats the purpose of a firewall since you usually want the 
> people on the
> other side of the VPN to have full access to your internal 
> network.  My
> firewall rules would look like swiss cheese if I did that.

And that's where the plot thickens. For situations where you want to treat
VPN users as completely trusted, it seems counterintuitive to have the
firewall sitting between the VPN box and the network. I've lost count of the
number of times I've said almost exactly what you just said above. 

However, what Crist and I were talking about was having a special interface
on the firewall, JUST for the private end of the VPN box to connect to. For
this interface you have have a separate security policy, ranging from no
barriers - to create a situation like the one you have now - to strict
access-control - to create semi-trusted VPN links for partners that need
access to an internal app with confidentiality, for example.

I admit that the setup is counterintuitive until you think about the need to
apply some level of access-control to VPN users which is different to the
access control you have for untrusted traffic but is not neccessarily none
at all.

> Regards,
> Jeffery Gieser

Cheers,

(this is not a flame, BTW - I'm guessing you just had a long week ;)
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards