Security Basics mailing list archives
RE: Vpn concentrator - health care client
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 13 Dec 2004 20:34:27 +0100
comments inline
Typically the VPN Concentrator is deployed in parallel with a firewall.
If you use a VPN-Concentrator, then you should definately have it in a DMZ.
Opening ports in your firewall should be avoided when possible.
In this case, you have to open udp500 and esp anyway, so you might as well do it right on the firewall. If someone cracks your firewall, it doesn't matter where the vpn-concentrator was. If you are not planning on using RADIUS or some other kind of external auth, then you might want a concentrator as well as a firewall. If you are using external auth then it's not too evil to use a firewall for vpn. It's not like you have to open management ports from the outside or anything.
If you are going to use the concentrator anyway, deploy it outside the firewall.
You were right the first time, parallel to the firewall is better.
Alternatively, you could use the 501 to host a VPN. Remote users can establish a VPN connection and conncet to the web app. The issue with this is that the remote users will require the Cisco VPN client.
That's no difference to a cisco vpn-3000 in 'normal' mode. I assumed (i know, that's a bad habit) that the original poster wanted to do a vpn with cisco client.
Also is the trust in remote clients, i.e. Do they have antivirus, usage policies, etc. The VPN Concentrator overcomes those issues since it creates a clientless SSL VPN and does not expose the internal network.
Depends on deployment, most people use cisco vpn's for L2TP/IPSec. The Juniper or CheckPoint devices are better known (in my circles) for SSL-VPN. Cheers, Chris
Current thread:
- Vpn concentrator - health care client Kris Wingard (Dec 10)
- Re: Vpn concentrator - health care client lonely wolf (Dec 13)
- Re: Vpn concentrator - health care client Chris Meidinger (Dec 13)
- RE: Vpn concentrator - health care client Shawn Wall (Dec 13)
- <Possible follow-ups>
- RE: Vpn concentrator - health care client Meidinger Chris (Dec 13)
- RE: Vpn concentrator - health care client Michael Pace (Dec 17)