Firewall Wizards mailing list archives
RE: VPN concentrators
From: scouser () paradise net nz
Date: Tue, 27 Aug 2002 12:02:00 +1200 (NZST)
OK some but not all answers It is for remote users, so it would be Client to Device (initially :P) So users would be employees. (totally untrsutworthy :P) Client software would probably depend on Device as a number of beneficial features can be used if you match the client to the device (personal firewalls, autmated upgrading of clients etc...) users would be about 250 initially but up to 4000 potentially in the future. availability would be an issue but this would be dealt with by the architecture design and would not be dependant on the solution. Management I would presume would depend on the device, ie LSMS for a brick etc... Central managament is an important issue however. Not sure what you mean by access control? Do you mean to internal resources? If VPN traffic could be split inot different network pools then internal NIDS, and ACLs could manage this (along with obvious host/resource access controls) What are tehses mysterious "IPSEC issues" that we are all aware of ( or perhaps not in my case) ?? James Quoting Ofir Arkin <ofir () sys-security com>:
All, No one even looked at a number of other critical questions: - Is this a Device to Device VPN? - Is this a Client to Device VPN? - Both? - What information needs to go through that VPN? - Who uses the VPN? Trusted entity? Your grand mother? - What is that trusted entity's security? - Can we trust it? (of course not) - What is the client software used (shame on you all not mentioning that :P) - IPSEC - there are a number of issues here to remind you all. - Management - Access Controls - Number of users using the VPN - Availability issues - Etc. People should look at the bigger picture and not at the box. The bigger pictures than will tell us what boxes you can, or cannot use. By the way - a VPN is not a firewall... The encrypted traffic hitting the VPN must be validated after decryption is performed... This is the reason why, sometimes, a VPN+Firewall in one box (e.g. checkpoint) will be a good solution, or a firewall-VPN-firewall "sandwich" will be also used. Just my 2c. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admi n () honor icsalabs com] On Behalf Of Patrick Darden Sent: 26 August 2002 15:52 To: Dave Piscitello Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] VPN concentrators Actually, what you describe is only slightly different from what I describe. I can't really think of any differences, except that yours may cost less but possibly provide less performance.... -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Mon, 26 Aug 2002, Dave Piscitello wrote:Goes to show you that "best thinking" is subjective. Firewall appliances with crypto acceleration for IPsec and anoptional/DMZport satisfy most site requirements without all the extra hardware, addressing/subnetting, and routing issues (how you return IPsectrafficwhen you have FW and VPN appliance in parallel isn't a simple"defaultgateway is the firewall" config on the internal network). You alsodon'thave to manage policy across multiple systems with multiple UIs, andyoudon't have to deal with multiple sources of logging and reporting ofpolicyviolations. I'm happy with this arrangement. At 08:39 AM 8/26/2002 -0400, Patrick Darden wrote:Here is the current best thinking, to my knowledge: ds3 to internet | | --------------- Bastion Router| --------------- | | | \ firewall \ | vpn engine | | ================== internal network | ==================David M. Piscitello Core Competence, Inc. & 3 Myrtle Bank Lane Hilton Head, SC 29926 dave () corecom com 843.689.5595 www.corecom.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards ____________________________________ ___________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Ofir Arkin (Aug 26)
- RE: VPN concentrators scouser (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Dave Piscitello (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 26)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- <Possible follow-ups>
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)