Firewall Wizards mailing list archives
RE: VPN concentrators
From: Crispin Harris <Harris_C () DeMorgan com au>
Date: Tue, 27 Aug 2002 12:39:20 +1000
-----Original Message----- From: Ofir Arkin [mailto:ofir () sys-security com] No one even looked at a number of other critical questions: - Is this a Device/Client to Device VPN or both? - What information needs to go through that VPN? - Who uses the VPN? Trusted entity? Your grand mother? - What is that trusted entity's security? - Can we trust it? (of course not)
The primary thing here is in determining the type of the VPN. (Fixed/Roaming, Office/Home, Company/Partner/Telecomuter/Other etc...) These questions will determine the level of paranoia involved in the filtering of the effected traffic, how strong a firewall do I need, Static/Stateful Filters, Proxies, content inspection....
- What is the client software used (shame on you all not mentioning that - IPSEC - there are a number of issues here to remind you all. - Management - Access Controls - Number of users using the VPN - Availability issues - Etc.
Then looking at the attributes of the traffic flowing over the VPN. Another aspect of this is that it is necessary to determine the capabilities of the VPN concentrator - not all VPN devices are capable of inspecting and controlling traffic. (exactly...)
By the way - a VPN is not a firewall... The encrypted traffic hitting the VPN must be validated after decryption is performed... This is the reason why, sometimes, a VPN+Firewall in one box (e.g. checkpoint) will be a good solution, or a firewall-VPN-firewall "sandwich" will be also used.
Just my 2c.
Ditto (and agreeing...)
---------------------------------------------------- This correspondence is for the named person's use only. It may contain confidential or legally privileged information or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately delete it from your system and notify the sender. You must not disclose, copy or rely on any part of this correspondence if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of DeMorgan Pty Ltd. This e-mail has been checked for known Viruses. It is the responsibility of the receiver to check their system for infected files and any such file is deemed not to be the responsibility of DeMorgan. ---------------------------------------------------------
Current thread:
- Re: VPN concentrators, (continued)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators B. Scott Harroff (Aug 26)
- Re: VPN concentrators Daniel Linder (Aug 28)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators R. DuFresne (Aug 27)
- RE: VPN concentrators Patrick Darden (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 29)
- RE: VPN concentrators R. DuFresne (Aug 29)