RE: VPN concentrators

["Schouten, Diederik (Diederik)" <dschout () lucent com>]

>                     DMZ
>                      |
>                      +--(ids)
>                      |
> inet=====rtr---+--firewall---internal
>         [+vpn] |
>                |
>              (ids)

 
Just a comment, you probably thought if it anyway.

A spoofing check on the router is now quite important.
Else someone could force packets from the internet into your VPN, depending
on a bridging or routerd setup, just bounce the packets of the firewall, or
directly within the router.

Also, ok, worse case scenario, but still required to think about... if your
VPN service on the router fails, will the rtr keep passing the traffic from
your internal LAN to the remote location?
So that your normally "secure" traffic goes in the open?
Or will it block the traffic that normally should have goen into the VPN?

When using private addresses this might not look like a problem, depending
where the traffic get's dropped.

How many interfaces does you firewall have?
Can't you terminate the VPN through the firewall on a different leg?
Ok, it would require another device, but seems better controllable.


>                     DMZ
>                      |
>                      +--(ids)
>                      |
> inet=====rtr---+--firewall---internal
>                |     |
>                |     |
>              (ids)  VPN

Since you probably want a cost saving solution (since you technically
terminate your VPN in a unsecure location), I would prefer a [firewall+VPN]
device though.

Greetings,

        Diederik
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards