RE: VPN concentrators

["Ofir Arkin" <ofir () sys-security com>]

All,

No one even looked at a number of other critical questions:

- Is this a Device to Device VPN?
- Is this a Client to Device VPN?
- Both?
- What information needs to go through that VPN?
- Who uses the VPN? Trusted entity? Your grand mother?
- What is that trusted entity's security?
- Can we trust it? (of course not)
- What is the client software used (shame on you all not mentioning that
:P) 
- IPSEC - there are a number of issues here to remind you all.
- Management
- Access Controls
- Number of users using the VPN
- Availability issues 
- Etc.

People should look at the bigger picture and not at the box. 
The bigger pictures than will tell us what boxes you can, or cannot use.

By the way - a VPN is not a firewall...
The encrypted traffic hitting the VPN must be validated after decryption
is performed... This is the reason why, sometimes, a VPN+Firewall in one
box (e.g. checkpoint) will be a good solution, or a
firewall-VPN-firewall "sandwich" will be also used.
 

Just my 2c.

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA  

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Patrick
Darden
Sent: 26 August 2002 15:52
To: Dave Piscitello
Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] VPN concentrators


Actually, what you describe is only slightly different from what I
describe.  I can't really think of any differences, except that yours
may
cost less but possibly provide less performance....

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Mon, 26 Aug 2002, Dave Piscitello wrote:

> Goes to show you that "best thinking" is subjective.
>
> Firewall appliances with crypto acceleration for IPsec and an
optional/DMZ 
> port satisfy most site requirements without all the extra hardware, 
> addressing/subnetting, and routing issues (how you return IPsec
traffic 
> when you have FW and VPN appliance in parallel isn't a simple "default

> gateway is the firewall" config on the internal network). You also
don't 
> have to manage policy across multiple systems with multiple UIs, and
you 
> don't have to deal with multiple sources of logging and reporting of
policy 
> violations.
>
> I'm happy with this arrangement.
>
> At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:
> > Here is the current best thinking, to my knowledge:
> >
> >      ds3 to internet
> >       |
> >       |
> > ---------------
> > Bastion Router|
> > ---------------
> >    |     |
> >    |      \
> > firewall   \
> >    |       vpn engine
> >    |           |
> > ==================
> > internal network |
> > ==================
>
>
> David M. Piscitello
> Core Competence, Inc. &
> 3 Myrtle Bank Lane
> Hilton Head, SC 29926
> dave () corecom com
> 843.689.5595
> www.corecom.com
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards