Firewall Wizards mailing list archives
Re: VPN concentrators
From: Patrick Darden <darden () armc org>
Date: Mon, 26 Aug 2002 08:39:24 -0400 (EDT)
I don't agree. Putting authenticated and authorized traffic through a firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an extension of your network--it is as trusted as any traffic internal to your network--perhaps more, as it can be completely accounted for--remember that every packet has a confirmed sip, dip, and payload. Here is the current best thinking, to my knowledge: ds3 to internet | | --------------- Bastion Router| --------------- | | | \ firewall \ | vpn engine | | ================== internal network | ================== -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Mon, 26 Aug 2002 scouser () paradise net nz wrote:
Off topic slightly, sorry. Current best thinking is to terminate VPN tunnels inside an external firewall on a DMZ, then traffic can be passed back through this or another firewall before entering the internal network. Complexity can lead to vulnerabilities, so what are peoples thoughts on termination of vpn tunnels on the firewall itself? What are the pros and cons as you see them? thanks in advance James _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)