Re: VPN concentrators

[scouser () paradise net nz]

The redundancy is provided by an identical set up at a separate location
(geographically) with its own internet feed
etc..
Basically we would fail over the external route using bgp and the external route
using a load balancing switch (not
pictured in the diagram to keep it simple, between inside network and the
firewall) which would fail over a route using
OSPF or similar.

Do not have this working, but have used a similar desing ( for redundancy) for
other projects.
It is slightly more complicated than that as I would also have an additional DMZ
for mail and web cache servers etc..
but the questions were focused on the VPN which is the part I have not done before)

regards
james

Quoting Patrick Darden <darden () armc org>:

> So, you have traffic coming thru your bastion router, hitting your
> firewall, and if vpn traffic then routed to the vpn engine, then routed
> back to the firewall on another interface, then into your internal
> network. Have you made this work? Where is your second vpn switch for
> redundancy and failover? How does vrrp/whatever work? Frankly, it looks
> unwieldy--but you can't argue with success. I'd be interested in more
> details.
>
> --
> --Patrick Darden Internetworking Manager 
> -- 706.475.3312 darden () armc org
> -- Athens Regional Medical Center
>
>
> On Tue, 27 Aug 2002 scouser () paradise net nz wrote:
>
> > Actually I was thinking more along these lines.(trying to keep the box
> count
> > down, to reduce management overhead)
> >
> > Internet connection
> > |
> > -----|-----
> > bastionrouter
> > -------------
> > | 
> > firewall ---- vpn engine
> > | |___________| 
> > | 
> > | 
> > |
> > |
> > --------------------
> > internal network
> >
> >
> > I do not trust incoming traffic. I do not trust the X hundred VPN
> users to
> > secure there endpoints from trojans, malware etc... So I want to be
> able to
> > inspect and filter traffic after it leaves the tunnel and before it
> enters my
> > network.
> > It is also nice to beable to inspect the traffic more than once, ie
> run some
> > NIDS on the traffic (before it has entered the network).
> > I have yet to find a single product that does both to a satisfactory
> level of
> > assurance.
> >
> > James
> > Quoting Patrick Darden <darden () armc org>:
> >
> > > I think the original poster's idea was (just to be clear):
> > >
> > > ds3
> > > |
> > > -----|-----
> > > bastionrouter
> > > -------------
> > > | |
> > > firewall vpn engine
> > > | |
> > > | |
> > > | firewall
> > > | |
> > > | |
> > > -----------------------
> > > internal network
> > >
> > >
> > > In my original diagram, DOS attacks would be filtered at the
> bastion
> > > router. In this diagram, after the vpn engine receives and verifies
> and
> > > confirms packets, then they are routed through a firewall....
> Redundant
> > > and useless. Let's say it is a top of the line content-inspecting,
> > > state-keeping, packet filtering firewall--how is that better than
> the
> > > vpn
> > > engine which does all of this and more? The vpn engine verifies and
> > > confirms and filters based on the sip, dip, state, and packet
> contents;
> > > and can do this on a per-user or per-group basis, thus giving
> different
> > > users different "levels" of access.
> > >
> > > Having this extra firewall is not useful.
> > >
> > > --
> > > --Patrick Darden Internetworking Manager 
> > > -- 706.475.3312 darden () armc org
> > > -- Athens Regional Medical Center
> > >
> > >
> > > On Mon, 26 Aug 2002, m p wrote:
> > >
> > > > --- Patrick Darden <darden () armc org> schrieb: > 
> > > > > I don't agree. Putting authenticated and authorized traffic
> through
> > > a
> > > > > firewall is redundant. IPSEC traffic is trusted traffic. A VPN
> is
> > > an
> > > > > extension of your network--it is as trusted as any traffic
> internal
> > > to
> > > > > your network--perhaps more, as it can be completely accounted
> > > > > for--remember that every packet has a confirmed sip, dip, and
> > > payload.
> > > > >
> > > >
> > > > I beg to differ.
> > > >
> > > > He talked about VPN - not authorized and authenticated traffic
> from a
> > > > source he can trust 100%.
> > > >
> > > > Traffic via a VPN can be from different sources with different
> levels
> > > > of trust. It can be a company or an employee or a branch office.
> That
> > > > are 3 classes of different trustworthy. Perhaps there are more.
> > > >
> > > > There were some DoS-attacks against the Windows IPSEC
> implementation
> > > > last year. There too was a DoS attack against some open source
> IPSEC
> > > > implementation. If you can limit the addresses that connect to
> the
> > > > termination point of your VPN it may be worth the additional layer
> of
> > > > security.
> > > >
> > > > To make sure each person that logins / operate via the VPN is
> only
> > > > allowed to see what he/she/it should see there should be a
> firewall
> > > > behind the termination point of the VPN.
> > > >
> > > > Yes, traffic via VPN should be the same as normal "in-house"
> traffic.
> > > > But the connection begin can be a problem - and if traffic via VPN
> is
> > > > not "in-house" traffic. If you firewall the RAS users in your
> company
> > > > you should too firewall the VPN users.
> > > >
> > > > Just my 2 euro cent
> > > >
> > > > Marc
> __________________________________________________________________
> > > > Gesendet von Yahoo! Mail - http://mail.yahoo.de
> > > > Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
> > >
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () honor icsalabs com
> > > http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
>
>  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards