Firewall Wizards mailing list archives

Re: Placement of a VPN Appliance

From: dharris () kcp com
Date: Fri, 5 Jan 2001 10:29:45 -0600


Indeed.  If you allow _all_ the VPN traffic to pass through the firewall
gateway unhindered then it does not matter where the VPN lands.  However,
if you consider the VPN as an extension of the external, untrusted network,
rather than as an extension of your internal, trusted network, then you
will place restrictions on the traffic from the VPN and block, restrict, or
others control the flow of that traffic through the firewall and into you
internal network.  You can trust traffic from the VPN more than traffic
from the world-wide Internet because the encryption/decryption gives you
assurance that the traffic came from where you think it came from.  My
point was that you may not want to trust the traffic from the remote site
as much as you trust traffic on your internal network.  If the level of
protection at the external site is lower than what your local site requires
then add protection (filtering, proxies, or whatever is needed) so the
traffic to/from the external site is only that which your local policy
allows.  Conversely, if the remote site has stricter policies then you may
need to use a firewall gateway to protect the remote site from your local
site.

Scenario 1)

External site is a branch office.  Security policy is the same as at local
site.  You trust the implementers and maintainers to have the policy
correctly executed at the remote site.  Use a VPN to directly connect the
two sites because firewalling the VPN is not necessary to protect either
site.

Scenario 2)

External site is abusiness partner, who also has a business partnership
with a competitor of yours.  Security policy at the external site is either
unknown or incompletely known, with an implementation for which you have no
confidence factor.  You should probably protect your local site assets
through a firewall gateway which allows limited access to a limited set of
the local resources.

Scenario 3)

External site is a telecommuting employee.  There is no security policy at
the external site (her kids use the computer, she's got a home network with
her daughter's computer and the family computer in the basement) and a
strong resistance to the office telling her how to run her own home.  She
needs "full" access to "all" local site resources.  You are now between a
rock (security policy) and a hard place (desired business practice).  If
you think the risk is low enough for you, go ahead and land that VPN on
your internal network.  If the risk is too high, land the VPN outside the
firewall and restrict the ability of your telecommuting employee to access
internal resources.

I hope this removes some of the original confusion.

                    Delmer D. Harris, CISSP




"R. DuFresne" <dufresne () sysinfo com> on 01/04/2001 08:41:55 PM

To:   dharris () kcp com
cc:   firewall-wizards () nfr com, Jeffery.Gieser () minnesotamutual com

Subject:  Re: [fw-wiz] Placement of a VPN Appliance


On Thu, 4 Jan 2001 dharris () kcp com wrote:


So...

What have you done to ensure that the system(s) on the other end of the

VPN

are obeying your security policy?  The way I see it, if you land the VPN

on

your protected network then you must have some assurance that both ends

of

your VPN are on networks with compatible security policies.  At the least
you would want to be sure that the security policies at both ends are at

or

above a minimum required level.

Think of your site as having a security perimeter (or several

perimeters),

with policies enforced by a combination of physical, electronic, and
administrative controls.  When you land the VPN inside one of those
security perimeters then you have logically defined the security

perimeter

to include whatever is on the other end of the VPN.  If the policies or
their enforcement is weaker at the other end of the VPN then you have
effectively decreased the security of your site because your actual
perimeter now has less-defended areas.


I get confused at this point.  as long as the VPN traffic is allowed into
your network, no matter the endpoint, in front of or behind the FW, of the
device, are you not at the same risk?

Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!






_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Placement of a VPN Appliance, (continued)
- RE: Placement of a VPN Appliance Stewart, John (Jan 04)
- RE: Placement of a VPN Appliance Bob . Eichler (Jan 04)
- RE: Placement of a VPN Appliance Jeffery . Gieser (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- RE: Placement of a VPN Appliance Ben Nagy (Jan 04)
- Re: Placement of a VPN Appliance dharris (Jan 04)
  - Re: Placement of a VPN Appliance R. DuFresne (Jan 05)
    - Re: Placement of a VPN Appliance JB (Jan 08)
- RE: Placement of a VPN Appliance David Bovee (Jan 05)
- Re: Placement of a VPN Appliance Jeffery . Gieser (Jan 05)
- Re: Placement of a VPN Appliance dharris (Jan 05)