RE: VPN endpoints

["Melson, Paul" <PMelson () sequoianet com>]

The placement isn't as important as planning access controls for remote
users accessing the internal network.  I'm sure that any auditor that
might look at this would feel better if the firewall sat between the
inside network and the VPN device.  But, some VPN devices support
granular access controls on decrypted packets that make a separate
firewall redundant, possibly unnecessary.  Of course, if the product you
have selected is not capable of doing that, or if you'd simply prefer to
use the firewall (for performance, logging/monitoring, or staff
utilization issues), then it makes sense to put the firewall between the
VPN device and the inside network.

PaulM

> -----Original Message-----
> We are planning to put a VPN endpoint at our site for remote 
> access.  We 
> know nothing about the remote client computers, we just provide an 
> authentication mechanism for the users.  The question 
> concerns where we put 
> the VPN endpoint on our network.
>
> I figure it this way: 2 VPN device interfaces, either of which can go 
> outside the firewall, on a DMZ, or inside the firewall.  That 
> gives us 9 
> possible arrangements, some of which are ridiculous, but fun to 
> consider.  We came down to two configurations.
>
> One approach is putting the internal interface on a DMZ.  The other 
> approach is to have the VPN bypass the firewall entirely.  I 
> am looking for 
> advice on which approach is better, and reasons why.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards