Firewall Wizards mailing list archives

Re: VPN concentrators

From: "B. Scott Harroff" <Scott.Harroff () att net>
Date: Mon, 26 Aug 2002 10:56:19 -0400

I agree with you from the trust perspective.

It is nice though to be able to filter/log/monitor undesirable inbound VPN
traffic though; and this would need to be post VPN device most likely by  a
firewall of some ttype.

----- Original Message -----
From: "Patrick Darden" <darden () armc org>
To: <scouser () paradise net nz>
Cc: <firewall-wizards () honor icsalabs com>
Sent: Monday, August 26, 2002 8:39 AM
Subject: Re: [fw-wiz] VPN concentrators


I don't agree.  Putting authenticated and authorized traffic through a
firewall is redundant.  IPSEC traffic is trusted traffic.  A VPN is an
extension of your network--it is as trusted as any traffic internal to
your network--perhaps more, as it can be completely accounted
for--remember that every packet has a confirmed sip, dip, and payload.

Here is the current best thinking, to my knowledge:

     ds3 to internet
      |
      |
---------------
Bastion Router|
---------------
   |     |
   |      \
firewall   \
   |       vpn engine
   |           |
==================
internal network |
==================




--
--Patrick Darden                Internetworking Manager
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Mon, 26 Aug 2002 scouser () paradise net nz wrote:

Off topic slightly, sorry.

Current best thinking is to terminate VPN tunnels inside an external

firewall on

a DMZ, then traffic can be passed back through this or another firewall

before

entering the internal network.

Complexity can lead to vulnerabilities, so what are peoples thoughts on
termination of vpn tunnels on the firewall itself? What are the  pros

and cons

as  you see them?

thanks in advance
James
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: VPN concentrators, (continued)
- Re: VPN concentrators Patrick Darden (Aug 26)
  - Re: VPN concentrators Dave Piscitello (Aug 26)
    - Re: VPN concentrators Patrick Darden (Aug 26)
    - RE: VPN concentrators Ofir Arkin (Aug 26)
    - RE: VPN concentrators scouser (Aug 26)
    - RE: VPN concentrators Patrick Darden (Aug 27)
  - Re: VPN concentrators m p (Aug 26)
    - Re: VPN concentrators Patrick Darden (Aug 26)
    - Re: VPN concentrators scouser (Aug 26)
    - Re: VPN concentrators Patrick Darden (Aug 27)
  - Re: VPN concentrators B. Scott Harroff (Aug 26)
  - Re: VPN concentrators Daniel Linder (Aug 28)
    - Re: VPN concentrators Patrick Darden (Aug 28)
    - RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
  - RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
- RE: VPN concentrators Crispin Harris (Aug 26)
  - RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators Brian Ford (Aug 27)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 27)

(Thread continues...)