Re: Integrated VPN/FW Paranoia

[Kevin <kkadow () gmail com>]

On 5/22/06, Cary, Kim <Kim.Cary () pepperdine edu> wrote:
> Well, for months I've been saying: "When you get the VPN, we'll put it on
> its own subnet/vlan behind the firewall." Now, I can see the administrative
> pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
> Value engineering, IMO.

This,IMHO, is what Cisco wants you to deploy.
Not that it is a bad approach, just lacking defense-in-depth.


> If we have to 'restart' the VPN for some reason,
> I don't want to restart the firewall

Nor vice-versa.  In my environment we have different teams handling
routing (including site-to-site VPN) and security (including end-user
VPN).  And it's a toss-up into which camp a Cisco "firewall blade" or
ASA device would fall, so we have political reasons for distinct
hardware for each function.


> Would you put an integrated device in front of your class B network and
> expect it to both protect (fw) and serve (vpn)?

I wouldn't -- unless budget is the prime (sole) driving force.

Generally what I've deployed is a (stateful, if money permits) packet
filter on the outermost edge, with a dedicated VPN tunnel-terminator
device (VAM, etc) behind the first layer of filtering.  An interface
on the VPN device connects into a "real" firewall where traffic from
VPN, vendors, and other foreign networks is inspected.

Kevin
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards