RE: Placement of a VPN Appliance

[David Bovee <David.Bovee () watchguard com>]

If you're going to place the int. interface of the VPN box on the firewall,
why not also protect the ext. interface?  


             Internet
                |
                |
                |
         ----------------
         |              |
         |              |
         |             VPN
         |              |
        FW--------------|
         |              
       Inside


vs


             Internet
                |
                |
                |      (ext)
     LAN<--<---FW-->-->---VPN
  (secure)      ^          | (int)
                |          |
                |---<---<--|




One of the amazing facts about VPN appliances is that many do not log with
the same verbosity as firewalls, yet there are essentially subject to many
of the same types of attacks.  This has always been one advantage of an
integrated VPN/FW solution.

Downside:  Your FW becomes a single POF.  However, in your proposed
scenario, you have the same dependency.

Upside: Your VPN box is now protected and you can worry "less" about
updates, DoS attacks, etc.

-David

> -----Original Message-----
> From: Bob.Eichler () ual com [mailto:Bob.Eichler () ual com]
> Sent: Thursday, January 04, 2001 3:38 PM
> To: firewall-wizards () nfr com
> Subject: RE: [fw-wiz] Placement of a VPN Appliance
>
>
> Thank you all for validating a design I recommended; 
> Putting the "external" side of the VPN on the DMZ, and putting the
> "internal" side on an unused NIC on the firewall.   
>
> The thought process was
> 1. Filter the "junk" hitting the VPN ( Mr. Geiser already 
> elaborated on
> this clearly )
>
> 2. Allow for that future flexibility with "semi-trusted partners"
> elaborated upon by Mr. Nagy. 
>
> Sometimes you "know" what your doing... but it still feels good to get
> that last bit of confirmation. :-)
>
> Bob Eichler 
> United Airlines - Information Security
>
>    ----------
>    From:       Bill.Royds
>    Sent:       Thursday, January 04, 2001 10:43 AM
>    To:         crist.clark
>    Cc:         Bill.Royds; firewall-wizards
>    Subject:    Re: [fw-wiz] Placement of a VPN Appliance
>    
>    We are implementing a safer variation on this theme.
>    We put the "internal" termination end of the VPN appliance on a
>    separate
>    isolated segment that has a NIC on the firewall.
>    The "external" end still connects to the Internet but only runs
>    ISAKMP and ESD.
>    Once the traffic is decrypted, it still has to pass through the
>    firewall (proxy
>    type) for validation before it can enter into internal space.  It
>    might even be
>    re-encrypted after inspection to protect it from internal snooping
>    but it does
>    allow a valiadation and control point on network flow.
>    
>    
>    
>    
>    "Crist Clark" <crist.clark () globalstar com> on 01/03/2001 
> 07:20:31 PM
>                                                                  
>                                                                  
>                                                                  
>     To:      firewall-wizards () nfr com                            
>                                                                  
>     cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)                 
>                                                                  
>                                                                  
>                                                                  
>     Subject: [fw-wiz] Placement of a VPN Appliance               
>                                                                  
>    
>    
>    
>    
>    
>    Hypothetically:
>    
>    You've got your wiz-bang-neato firewall machine. You've 
> got a slick,
>    new
>    VPN appliance. The vendor literature assumes that your VPN 
> appliance,
>    which
>    has a "public" and "private" interface, will be living on 
> your border
>    with
>    the public interface naked (or nearly so) on the 'Net and 
> the private
>    interface on your internal network. But we've already got a
>    wiz-bang-neato
>    firewall. Assuming we trust the incoming VPN users (don't go there
>    yet),
>    what would be wrong with putting a VPN appliance completely within
>    your
>    border? For our VPN needs, we allow IPsec (proto 50 and 51) and
>    ISAKMP
>    (500/udp)[0] to the IP of the VPN appliance. There seems 
> to be little
>    risk
>    in allowing this one stream of traffic into our network 
> (as for what
>    happens once the streams are unencrypted at the end of the
>    tunnel...).
>    
>    The primary "pros" of this setup are,
>    
>      - We still only have one machine to worry about living 
> naked on the
>    'Net.
>      - Easier conversion from our current setup since we do 
> not need to
>        change connectivity of our border.
>    
>    The major "cons" are,
>    
>      - Once a VPN user is authenticated an in, he or she is 
> in. However,
>        this is how the present VPN solution works, so it is 
> status quo.
>      - The VPN appliance expects to be on a border for some 
> reason, and
>        this configuration confuses it.
>    
>    To me, the best idea would be to put the public interface 
> of the VPN
>    on the Internet and hook the private interface directly to 
> an unused
>    interface on the firewall. However, distrust of VPN users shared
>    by most security personnel is not shared by all network
>    administrators
>    so the firewall restrictions one is allowed put on the incoming VPN
>    users
>    might be so weak as to be pointless. In that case, I would 
> rather put
>    the whole appliance behind the firewall so one less box is exposed.
>    
>    My real question comes back to the vendor's assumption that the VPN
>    device will be on a border. Is there some obvious reason I 
> am missing
>    why putting the "public" interface behind the firewall on 
> the private
>    net is bad? As I mentioned, the firewall will allow the traffic
>    required
>    by IPsec tunnels only to that one IP, so the rest of the network is
>    put
>    at little risk from that traffic. The real security concern from my
>    point
>    of view is what happens to the data in the VPN box and 
> what comes out
>    the private interface. If the private interface is naked on your
>    internal
>    network, either configuration has the same exposure to 
> authenticated
>    external users. Hiding the public interface behind the 
> firewall just
>    adds an extra layer of protection should a vulnerability in the
>    VPN appliance exist. So, why doesn't the vendor support that?
>    
>    I am trying to decide which setup to fight for if I can't 
> get my wish
>    to put some real filters between the authenticated users and the
>    naked internal network. Thanks for any opinions.
>    
>    [0] Oh, and there is that complete abomination of UDP encapsulated
>    IPsec we'll probably have to let through.
>    --
>    Crist J. Clark                                Network Security
>    Engineer
>    crist.clark () globalstar com                    Globalstar, L.P.
>    
>    
>    
>    
>    
>    
>    _______________________________________________
>    firewall-wizards mailing list
>    firewall-wizards () nfr com
>    http://www.nfr.com/mailman/listinfo/firewall-wizards
>    
>    
>    
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards