Firewall Wizards mailing list archives
Re: Placement of a VPN Appliance
From: dharris () kcp com
Date: Fri, 5 Jan 2001 10:29:45 -0600
Indeed. If you allow _all_ the VPN traffic to pass through the firewall gateway unhindered then it does not matter where the VPN lands. However, if you consider the VPN as an extension of the external, untrusted network, rather than as an extension of your internal, trusted network, then you will place restrictions on the traffic from the VPN and block, restrict, or others control the flow of that traffic through the firewall and into you internal network. You can trust traffic from the VPN more than traffic from the world-wide Internet because the encryption/decryption gives you assurance that the traffic came from where you think it came from. My point was that you may not want to trust the traffic from the remote site as much as you trust traffic on your internal network. If the level of protection at the external site is lower than what your local site requires then add protection (filtering, proxies, or whatever is needed) so the traffic to/from the external site is only that which your local policy allows. Conversely, if the remote site has stricter policies then you may need to use a firewall gateway to protect the remote site from your local site. Scenario 1) External site is a branch office. Security policy is the same as at local site. You trust the implementers and maintainers to have the policy correctly executed at the remote site. Use a VPN to directly connect the two sites because firewalling the VPN is not necessary to protect either site. Scenario 2) External site is abusiness partner, who also has a business partnership with a competitor of yours. Security policy at the external site is either unknown or incompletely known, with an implementation for which you have no confidence factor. You should probably protect your local site assets through a firewall gateway which allows limited access to a limited set of the local resources. Scenario 3) External site is a telecommuting employee. There is no security policy at the external site (her kids use the computer, she's got a home network with her daughter's computer and the family computer in the basement) and a strong resistance to the office telling her how to run her own home. She needs "full" access to "all" local site resources. You are now between a rock (security policy) and a hard place (desired business practice). If you think the risk is low enough for you, go ahead and land that VPN on your internal network. If the risk is too high, land the VPN outside the firewall and restrict the ability of your telecommuting employee to access internal resources. I hope this removes some of the original confusion. Delmer D. Harris, CISSP "R. DuFresne" <dufresne () sysinfo com> on 01/04/2001 08:41:55 PM To: dharris () kcp com cc: firewall-wizards () nfr com, Jeffery.Gieser () minnesotamutual com Subject: Re: [fw-wiz] Placement of a VPN Appliance On Thu, 4 Jan 2001 dharris () kcp com wrote:
So... What have you done to ensure that the system(s) on the other end of the
VPN
are obeying your security policy? The way I see it, if you land the VPN
on
your protected network then you must have some assurance that both ends
of
your VPN are on networks with compatible security policies. At the least you would want to be sure that the security policies at both ends are at
or
above a minimum required level. Think of your site as having a security perimeter (or several
perimeters),
with policies enforced by a combination of physical, electronic, and administrative controls. When you land the VPN inside one of those security perimeters then you have logically defined the security
perimeter
to include whatever is on the other end of the VPN. If the policies or their enforcement is weaker at the other end of the VPN then you have effectively decreased the security of your site because your actual perimeter now has less-defended areas.
I get confused at this point. as long as the VPN traffic is allowed into your network, no matter the endpoint, in front of or behind the FW, of the device, are you not at the same risk? Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Placement of a VPN Appliance, (continued)
- RE: Placement of a VPN Appliance Stewart, John (Jan 04)
- RE: Placement of a VPN Appliance Bob . Eichler (Jan 04)
- RE: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- Re: Placement of a VPN Appliance dharris (Jan 04)
- Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
- Re: Placement of a VPN Appliance JB (Jan 08)
- Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
- RE: Placement of a VPN Appliance David Bovee (Jan 05)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 05)
- Re: Placement of a VPN Appliance dharris (Jan 05)