Firewall Wizards mailing list archives
Re: VPN concentrators
From: scouser () paradise net nz
Date: Mon, 02 Sep 2002 16:53:38 +1200 (NZST)
The redundancy is provided by an identical set up at a separate location (geographically) with its own internet feed etc.. Basically we would fail over the external route using bgp and the external route using a load balancing switch (not pictured in the diagram to keep it simple, between inside network and the firewall) which would fail over a route using OSPF or similar. Do not have this working, but have used a similar desing ( for redundancy) for other projects. It is slightly more complicated than that as I would also have an additional DMZ for mail and web cache servers etc.. but the questions were focused on the VPN which is the part I have not done before) regards james Quoting Patrick Darden <darden () armc org>:
So, you have traffic coming thru your bastion router, hitting your firewall, and if vpn traffic then routed to the vpn engine, then routed back to the firewall on another interface, then into your internal network. Have you made this work? Where is your second vpn switch for redundancy and failover? How does vrrp/whatever work? Frankly, it looks unwieldy--but you can't argue with success. I'd be interested in more details. -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Tue, 27 Aug 2002 scouser () paradise net nz wrote:Actually I was thinking more along these lines.(trying to keep the boxcountdown, to reduce management overhead) Internet connection | -----|----- bastionrouter ------------- | firewall ---- vpn engine | |___________| | | | | -------------------- internal network I do not trust incoming traffic. I do not trust the X hundred VPNusers tosecure there endpoints from trojans, malware etc... So I want to beable toinspect and filter traffic after it leaves the tunnel and before itenters mynetwork. It is also nice to beable to inspect the traffic more than once, ierun someNIDS on the traffic (before it has entered the network). I have yet to find a single product that does both to a satisfactorylevel ofassurance. James Quoting Patrick Darden <darden () armc org>:I think the original poster's idea was (just to be clear): ds3 | -----|----- bastionrouter ------------- | | firewall vpn engine | | | | | firewall | | | | ----------------------- internal network In my original diagram, DOS attacks would be filtered at thebastionrouter. In this diagram, after the vpn engine receives and verifiesandconfirms packets, then they are routed through a firewall....Redundantand useless. Let's say it is a top of the line content-inspecting, state-keeping, packet filtering firewall--how is that better thanthevpn engine which does all of this and more? The vpn engine verifies and confirms and filters based on the sip, dip, state, and packetcontents;and can do this on a per-user or per-group basis, thus givingdifferentusers different "levels" of access. Having this extra firewall is not useful. -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Mon, 26 Aug 2002, m p wrote:--- Patrick Darden <darden () armc org> schrieb: >I don't agree. Putting authenticated and authorized trafficthroughafirewall is redundant. IPSEC traffic is trusted traffic. A VPNisanextension of your network--it is as trusted as any trafficinternaltoyour network--perhaps more, as it can be completely accounted for--remember that every packet has a confirmed sip, dip, andpayload.I beg to differ. He talked about VPN - not authorized and authenticated trafficfrom asource he can trust 100%. Traffic via a VPN can be from different sources with differentlevelsof trust. It can be a company or an employee or a branch office.Thatare 3 classes of different trustworthy. Perhaps there are more. There were some DoS-attacks against the Windows IPSECimplementationlast year. There too was a DoS attack against some open sourceIPSECimplementation. If you can limit the addresses that connect tothetermination point of your VPN it may be worth the additional layerofsecurity. To make sure each person that logins / operate via the VPN isonlyallowed to see what he/she/it should see there should be afirewallbehind the termination point of the VPN. Yes, traffic via VPN should be the same as normal "in-house"traffic.But the connection begin can be a problem - and if traffic via VPNisnot "in-house" traffic. If you firewall the RAS users in yourcompanyyou should too firewall the VPN users. Just my 2 euro cent Marc__________________________________________________________________Gesendet von Yahoo! Mail - http://mail.yahoo.de Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN concentrators scouser (Sep 02)