Firewall Wizards mailing list archives
Re: Integrated VPN/FW Paranoia
From: Kevin <kkadow () gmail com>
Date: Mon, 22 May 2006 18:15:30 -0500
On 5/22/06, Cary, Kim <Kim.Cary () pepperdine edu> wrote:
Well, for months I've been saying: "When you get the VPN, we'll put it on its own subnet/vlan behind the firewall." Now, I can see the administrative pressure coming to use the VPN device (ASA5520) as the firewall and the VPN. Value engineering, IMO.
This,IMHO, is what Cisco wants you to deploy. Not that it is a bad approach, just lacking defense-in-depth.
If we have to 'restart' the VPN for some reason, I don't want to restart the firewall
Nor vice-versa. In my environment we have different teams handling routing (including site-to-site VPN) and security (including end-user VPN). And it's a toss-up into which camp a Cisco "firewall blade" or ASA device would fall, so we have political reasons for distinct hardware for each function.
Would you put an integrated device in front of your class B network and expect it to both protect (fw) and serve (vpn)?
I wouldn't -- unless budget is the prime (sole) driving force. Generally what I've deployed is a (stateful, if money permits) packet filter on the outermost edge, with a dedicated VPN tunnel-terminator device (VAM, etc) behind the first layer of filtering. An interface on the VPN device connects into a "real" firewall where traffic from VPN, vendors, and other foreign networks is inspected. Kevin _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Integrated VPN/FW Paranoia Cary, Kim (May 22)
- Re: Integrated VPN/FW Paranoia Kevin (May 22)