Firewall Wizards mailing list archives
RE: Placement of a VPN Appliance
From: Ben Nagy <ben.nagy () marconi com au>
Date: Fri, 5 Jan 2001 09:07:32 +1030
-----Original Message----- From: Jeffery.Gieser () minnesotamutual com [mailto:Jeffery.Gieser () minnesotamutual com] Sent: Friday, 5 January 2001 1:33 To: Crist Clark; firewall-wizards () nfr com Subject: Re: [fw-wiz] Placement of a VPN Appliance We recently had the same issue where I work. I decided to place the public side of the VPN device on a dmz and the private side on our internal network. This was done for the following reasons. 1. If every device has X number of vulnerabilities then having two devices of different types on the internet gives us X + X number of different vulnerabilities.
You've lost the plot, Jeff! 8) Remember set theory? It's perfectly possible for both devices to have five holes - except they're all the same, therefore there are only 5 total holes. Even if you argue that boxA->vul1 is _different_ to boxB->vul1 then I'd argue that they're equivalent anyway since the impact of compromise for either is the same - ie exploiting both doesn't make the security breach any worse.
2. The firewall really can't do much filtering for the VPN device for ISAKMP, AH, or ESP but it can stop any other traffic from reaching the VPN device that isn't one of these three protcols.
You have a point here, but according to "The Brochure" for all the VPN appliances I've seen, the dirty interface silently drops any non IKE/AH/ESP traffic anyway. It's not like it's hard to audit that hypothesis when installing one into production...
3. I would place the public side of the VPN on the DMZ because I wouldn't want potentially dirty traffic on my internal network befire it reached it's checkpoint.
But, but, but...You _have_ got dirty traffic feeding straight into your network! Any VPN tunneled traffic isn't being inspected by your firewall at all. Yes, you need to authenticate first - but that's your only method of protection with your setup.
4. Placing the private side of the VPN device in front of a firewall defeats the purpose of a firewall since you usually want the people on the other side of the VPN to have full access to your internal network. My firewall rules would look like swiss cheese if I did that.
And that's where the plot thickens. For situations where you want to treat VPN users as completely trusted, it seems counterintuitive to have the firewall sitting between the VPN box and the network. I've lost count of the number of times I've said almost exactly what you just said above. However, what Crist and I were talking about was having a special interface on the firewall, JUST for the private end of the VPN box to connect to. For this interface you have have a separate security policy, ranging from no barriers - to create a situation like the one you have now - to strict access-control - to create semi-trusted VPN links for partners that need access to an internal app with confidentiality, for example. I admit that the setup is counterintuitive until you think about the need to apply some level of access-control to VPN users which is different to the access control you have for untrusted traffic but is not neccessarily none at all.
Regards, Jeffery Gieser
Cheers, (this is not a flame, BTW - I'm guessing you just had a long week ;) -- Ben Nagy Marconi Services Network Integration Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Placement of a VPN Appliance Crist Clark (Jan 03)
- <Possible follow-ups>
- RE: Placement of a VPN Appliance Ben Nagy (Jan 03)
- Re: Placement of a VPN Appliance Crist Clark (Jan 03)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- Re: Placement of a VPN Appliance Bill_Royds (Jan 04)
- RE: Placement of a VPN Appliance Stewart, John (Jan 04)
- RE: Placement of a VPN Appliance Bob . Eichler (Jan 04)
- RE: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- Re: Placement of a VPN Appliance dharris (Jan 04)
- Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
- Re: Placement of a VPN Appliance JB (Jan 08)
- Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
- RE: Placement of a VPN Appliance David Bovee (Jan 05)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 05)
- Re: Placement of a VPN Appliance dharris (Jan 05)