Firewall Wizards mailing list archives
RE: vpn end-point
From: "Sloane, David" <DSloane () vfa com>
Date: Thu, 18 Mar 2004 13:39:50 -0500
Shimon, Assuming the router is outside the firewall (you didn't specify, but it seems most likely) I think there are two considerations - 1. Security posture at the router and firewall 2. VPN encryption/decryption performance of each device If your router has limited security functions (a few blocked ports, blocked RFC1918 address space), the segment between the router and the firewall is still insecure. In that case, terminating the vpn on the router mixes more-secure, decrypted vpn traffic with less-secure Internet traffic. So you're better off terminating the vpn at the firewall where the security level of unencrypted traffic at each end is similar. The second consideration only applies if you are stuck with a firewall which has limited encryption/decryption performance for your environment. If your firewall would be a very slow vpn end-point and your router would be a much faster vpn end-point (an unlikely scenario), then you *might* try terminating the vpn on the router. Even with better performance on the router, you would need to substantially improve the router's security posture for this to make any sense. Hope that helps. -David -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Shimon Silberschlag Sent: March 17, 2004 10:23 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] vpn end-point Having to design multiple branches to main offices VPN, with the building block on the branch side limited to a router and a firewall, what would be your choice of ending the VPN tunnel, on the router or on the firewall? Shimon Silberschlag +972-3-9351572 +972-51-207130 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: vpn end-point Claussen, Ken (Mar 18)
- RE: vpn end-point paul (Mar 18)
- RE: vpn end-point Dave Piscitello (Mar 19)
- RE: vpn end-point Frederick M Avolio (Mar 19)
- RE: vpn end-point Dave Piscitello (Mar 19)
- Re: vpn end-point Shimon Silberschlag (Mar 22)
- RE: vpn end-point Mark Gumennik (Mar 27)
- RE: vpn end-point Dave Piscitello (Mar 19)
- RE: vpn end-point paul (Mar 18)
- <Possible follow-ups>
- RE: vpn end-point Robert Perez (Mar 18)
- RE: vpn end-point Sloane, David (Mar 18)
- RE: vpn end-point Dean Davis (Mar 18)