Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Eggs in one basket (VPN in Firewall, UTM)

From: Boozy Walker <boozywalker () dsl pipex com>
Date: Wed, 19 Dec 2007 15:18:24 +0000
Hi Bill,

It all depends on how much VPN traffic you have I suppose.  If you are
pushing huge amounts of encrypted traffic between sites then yes, a
dedicated VPN device would make sense but if you are only talking a few
connected sites and what I would class as "normal" amounts of encrypted
traffic then utilising your firewalls VPN functionality would be ok. 
Most firewalls these days have VPN capabilities but I wouldn't class them as
UTMs - UTMs tend to be the "cheaper" (or cost efficient) boxes that do
Anti-Spam, Malware, AV, Content checking and so on.  I've never been a fan
of these as they tend to promise much yet in reality deliver little (e.g
limited functionality or degraded performance when you enable all of the
features).

IMHO, I would prefer to have distributed services that are designed to do
the job you want.  I have been using StoneGate fw/vpn appliances (from
Stonesoft) for a couple of years now and to be honest I couldn't think of
using anything else.  They allow me to have multiple ISP connections (all
used at the same time) to load balance traffic and even load balanced vpn
connections between all my sites which obviously helps with performance and
resilience.  For my mobile users they now have an SSL product (seperate box
but I prefer this) which allows me to provide client-less access from any
platform.  The nice thing about this setup though is although the fw/vpn and
ssl boxes are physically seperate, the management, logs and reporting tool
is centralised so I can manage everything from one place (which I suppose
could be classed as UTM...???)

As for controlling asscess (partners and vendors), I use the SSL device as
this lets me publish applications based upon the authenticating user.  That
way they only get access to what I allow them to see.

Rgds

Brian Walker

Bill Stout-2 wrote:
> > Hello all, > > I'm evaluating an existing VPN infrastructure, and am looking at 
> replacement options that can support IPSEC and SSL.
> > Currently VPN appliances are used for site-site and remote access. One of 
> the options is to make use of the VPN capabilties of existing (SYN/ACK
> semantic type) firewalls. > > What is the current opinion of adding more services to a firewall vs. > deploying standalone VPN appliances? > > Also, what is the current best practice as far as controlling who can get 
> to what via the VPN? (e.g.contractors, vendors)
> > Thank, > > Bill Stout 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
-- View this message in context: http://www.nabble.com/Eggs-in-one-basket-%28VPN-in-Firewall%2C-UTM%29-tp13982292p14418500.html Sent from the Firewall Wizards mailing list archive at Nabble.com. 


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: