Re: VPN concentrators

[Patrick Darden <darden () armc org>]

So, you have traffic coming thru your bastion router, hitting your
firewall, and if vpn traffic then routed to the vpn engine, then routed
back to the firewall on another interface, then into your internal
network.  Have you made this work?  Where is your second vpn switch for
redundancy and failover?  How does vrrp/whatever work?  Frankly, it looks
unwieldy--but you can't argue with success.  I'd be interested in more
details.

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Tue, 27 Aug 2002 scouser () paradise net nz wrote:

> Actually I was thinking more along these lines.(trying to keep the box count
> down, to reduce management overhead)
>
> Internet connection
>       |
>  -----|-----
>  bastionrouter
>  -------------
>   |        
>  firewall ---- vpn engine
>   |   |___________|         
>   |       
>   | 
>   |
>   |
>  --------------------
>  internal network
>
>
> I do not trust incoming traffic. I do not trust the X hundred VPN users to
> secure there endpoints from trojans, malware etc... So I want to be able to
> inspect and filter traffic after it leaves the tunnel and before it enters my
> network.
> It is also nice to beable to inspect the traffic more than once, ie run some
> NIDS on the traffic (before it has entered the network).
> I have yet to find a single product that does both to a satisfactory level of
> assurance.
>
> James
> Quoting Patrick Darden <darden () armc org>:
>
> > I think the original poster's idea was (just to be clear):
> >
> >  ds3
> >  |
> > -----|-----
> > bastionrouter
> > -------------
> >  | |
> > firewall vpn engine
> >  | |
> >  | |
> >  | firewall
> >  | |
> >  | |
> > -----------------------
> > internal network
> >
> >
> > In my original diagram, DOS attacks would be filtered at the bastion
> > router. In this diagram, after the vpn engine receives and verifies and
> > confirms packets, then they are routed through a firewall.... Redundant
> > and useless. Let's say it is a top of the line content-inspecting,
> > state-keeping, packet filtering firewall--how is that better than the
> > vpn
> > engine which does all of this and more? The vpn engine verifies and
> > confirms and filters based on the sip, dip, state, and packet contents;
> > and can do this on a per-user or per-group basis, thus giving different
> > users different "levels" of access.
> >
> > Having this extra firewall is not useful.
> >
> > --
> > --Patrick Darden Internetworking Manager 
> > -- 706.475.3312 darden () armc org
> > -- Athens Regional Medical Center
> >
> >
> > On Mon, 26 Aug 2002, m p wrote:
> >
> > > --- Patrick Darden <darden () armc org> schrieb: > 
> > > > I don't agree. Putting authenticated and authorized traffic through
> > a
> > > > firewall is redundant. IPSEC traffic is trusted traffic. A VPN is
> > an
> > > > extension of your network--it is as trusted as any traffic internal
> > to
> > > > your network--perhaps more, as it can be completely accounted
> > > > for--remember that every packet has a confirmed sip, dip, and
> > payload.
> > > >
> > >
> > > I beg to differ.
> > >
> > > He talked about VPN - not authorized and authenticated traffic from a
> > > source he can trust 100%.
> > >
> > > Traffic via a VPN can be from different sources with different levels
> > > of trust. It can be a company or an employee or a branch office. That
> > > are 3 classes of different trustworthy. Perhaps there are more.
> > >
> > > There were some DoS-attacks against the Windows IPSEC implementation
> > > last year. There too was a DoS attack against some open source IPSEC
> > > implementation. If you can limit the addresses that connect to the
> > > termination point of your VPN it may be worth the additional layer of
> > > security.
> > >
> > > To make sure each person that logins / operate via the VPN is only
> > > allowed to see what he/she/it should see there should be a firewall
> > > behind the termination point of the VPN.
> > >
> > > Yes, traffic via VPN should be the same as normal "in-house" traffic.
> > > But the connection begin can be a problem - and if traffic via VPN is
> > > not "in-house" traffic. If you firewall the RAS users in your company
> > > you should too firewall the VPN users.
> > >
> > > Just my 2 euro cent
> > >
> > > Marc
> > >
> > >
> > > __________________________________________________________________
> > >
> > > Gesendet von Yahoo! Mail - http://mail.yahoo.de
> > > Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mai lman/listinfo/firewall-wizards
> >  

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards