Firewall Wizards mailing list archives
RE: VPN concentrators
From: "Ofir Arkin" <ofir () sys-security com>
Date: Mon, 26 Aug 2002 16:47:46 +0100
All, No one even looked at a number of other critical questions: - Is this a Device to Device VPN? - Is this a Client to Device VPN? - Both? - What information needs to go through that VPN? - Who uses the VPN? Trusted entity? Your grand mother? - What is that trusted entity's security? - Can we trust it? (of course not) - What is the client software used (shame on you all not mentioning that :P) - IPSEC - there are a number of issues here to remind you all. - Management - Access Controls - Number of users using the VPN - Availability issues - Etc. People should look at the bigger picture and not at the box. The bigger pictures than will tell us what boxes you can, or cannot use. By the way - a VPN is not a firewall... The encrypted traffic hitting the VPN must be validated after decryption is performed... This is the reason why, sometimes, a VPN+Firewall in one box (e.g. checkpoint) will be a good solution, or a firewall-VPN-firewall "sandwich" will be also used. Just my 2c. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Patrick Darden Sent: 26 August 2002 15:52 To: Dave Piscitello Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] VPN concentrators Actually, what you describe is only slightly different from what I describe. I can't really think of any differences, except that yours may cost less but possibly provide less performance.... -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Mon, 26 Aug 2002, Dave Piscitello wrote:
Goes to show you that "best thinking" is subjective. Firewall appliances with crypto acceleration for IPsec and an
optional/DMZ
port satisfy most site requirements without all the extra hardware, addressing/subnetting, and routing issues (how you return IPsec
traffic
when you have FW and VPN appliance in parallel isn't a simple "default
gateway is the firewall" config on the internal network). You also
don't
have to manage policy across multiple systems with multiple UIs, and
you
don't have to deal with multiple sources of logging and reporting of
policy
violations. I'm happy with this arrangement. At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:Here is the current best thinking, to my knowledge: ds3 to internet | | --------------- Bastion Router| --------------- | | | \ firewall \ | vpn engine | | ================== internal network | ==================David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com 843.689.5595 www.corecom.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)