Re: Placement of a VPN Appliance

["R. DuFresne" <dufresne () sysinfo com>]

On Thu, 4 Jan 2001 dharris () kcp com wrote:

> So...
>
> What have you done to ensure that the system(s) on the other end of the VPN
> are obeying your security policy?  The way I see it, if you land the VPN on
> your protected network then you must have some assurance that both ends of
> your VPN are on networks with compatible security policies.  At the least
> you would want to be sure that the security policies at both ends are at or
> above a minimum required level.
>
> Think of your site as having a security perimeter (or several perimeters),
> with policies enforced by a combination of physical, electronic, and
> administrative controls.  When you land the VPN inside one of those
> security perimeters then you have logically defined the security perimeter
> to include whatever is on the other end of the VPN.  If the policies or
> their enforcement is weaker at the other end of the VPN then you have
> effectively decreased the security of your site because your actual
> perimeter now has less-defended areas.

I get confused at this point.  as long as the VPN traffic is allowed into
your network, no matter the endpoint, in front of or behind the FW, of the
device, are you not at the same risk?

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards