network design problem with FW-1

[Bret Watson <lists () ticm com>]

Hi All,
got an interesting design problem. Gut instinct says it should work, but 
checkpoint assures me it won't - I'd like a second opinion :}...

OK  there is a branch office that is connected back to the head office via 
an un-partitioned WAN (ie. the WAN is directly connected to the HQ LAN and 
the branch office LAN).
The branch office also is connected to the internet. The IT dept want to 
enable a VPN tunnel from the branch office to the HQ over the internet 
because teh bandwidth is cheaper. But they want to keep the WAN connection 
for redundancy.
Security wants to partition the WAN at teh branch office end, because this 
particular branch office is prone to doing unsecure things without telling 
anyone - the branch office is 13 hours flight away so its not so easy to 
find out...

SO this is what the branch office FW woudl look like

                                  VPN via Internet to HQ
                                                 |
          WAN to HQ-----------------FW
                                                 |
                                       Branch Office LAN

BUT - FW-1 does not seem to be able to have a rule for the VPN tunnel at 
the same time as a rule for the office LAN to the HQ connection. Apparently 
the reason is that both src & dst entries will be the same and FW-1 cannot 
differentiate between the two. Since the VPN side needs to have "Encrypt" 
on the rule it all falls down...

Any advice?


Thanks,

Bret


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards