RE: vpn end-point

[Dave Piscitello <dave () corecom com>]

This begs a question in and of itself:

How many folks know what order their firewall processes policy:

- firewall first, vpn 2nd
- vpn first, firewall 2nd
- "simultaneously" (gratuitous marketing answer)

Joel Snyder has written something about this in some IPsec analyses he did 
for Network World. He calls it the Big V little f vs. Big F little v 
phenomenon.

At 11:48 AM 3/19/2004 -0500, Frederick M Avolio wrote:
> At 08:40 AM 3/19/2004 -0500, Dave Piscitello wrote:
> > I am surprised no one mentioned that terminating VPN at the firewall lets 
> > you distinguish VPN traffic from all other traffic routed through the 
> > firewall (without topological or addressing finagling), and protects VPN 
> > traffic to the security policy enforcement point, e.g., across the "DMZ" 
> > you have between the router and firewall (unless the router-firewall link 
> > is a crossover cable, it's a network, and I've seen people throw IDS/IPS, 
> > performance analysis devices, and gee, how about a web server there - and 
> > that's only the list of systems they learn about).
>
> Which begs the question: How many of you with firewall/VPN combinations 
> can and do configure the VPN to functionally terminate before the firewall?
>
> Some firewall/VPN boxes assume no firewalling for VPN connections. IE, if 
> you are authenticated, you are in.
>
>
> f


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards