Firewall Wizards mailing list archives
Re: VPN concentrators
From: "B. Scott Harroff" <Scott.Harroff () att net>
Date: Mon, 26 Aug 2002 10:56:19 -0400
I agree with you from the trust perspective. It is nice though to be able to filter/log/monitor undesirable inbound VPN traffic though; and this would need to be post VPN device most likely by a firewall of some ttype. ----- Original Message ----- From: "Patrick Darden" <darden () armc org> To: <scouser () paradise net nz> Cc: <firewall-wizards () honor icsalabs com> Sent: Monday, August 26, 2002 8:39 AM Subject: Re: [fw-wiz] VPN concentrators
I don't agree. Putting authenticated and authorized traffic through a firewall is redundant. IPSEC traffic is trusted traffic. A VPN is an extension of your network--it is as trusted as any traffic internal to your network--perhaps more, as it can be completely accounted for--remember that every packet has a confirmed sip, dip, and payload. Here is the current best thinking, to my knowledge: ds3 to internet | | --------------- Bastion Router| --------------- | | | \ firewall \ | vpn engine | | ================== internal network | ================== -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Mon, 26 Aug 2002 scouser () paradise net nz wrote:Off topic slightly, sorry. Current best thinking is to terminate VPN tunnels inside an external
firewall on
a DMZ, then traffic can be passed back through this or another firewall
before
entering the internal network. Complexity can lead to vulnerabilities, so what are peoples thoughts on termination of vpn tunnels on the firewall itself? What are the pros
and cons
as you see them? thanks in advance James _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN concentrators, (continued)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)