RE: VPN concentrators

[Patrick Darden <darden () armc org>]

> > By the way - a VPN is not a firewall...
> > The encrypted traffic hitting the VPN must be validated after decryption
> > is performed... This is the reason why, sometimes, a VPN+Firewall in one
> > box (e.g. checkpoint) will be a good solution, or a
> > firewall-VPN-firewall "sandwich" will be also used.
>
> > Just my 2c.
>
> Ditto (and agreeing...)

I happen to agree that a vpn engine is not a firewall, but you two have
put your foot in it by stating this.  Nobody really agrees as to what a
firewall is, exactly.  However, I would have to say that a vpn engine
certainly does what a firewall typically does.  A vpn engine (e.g. ipsec,
3des, sha1) discards ALL traffic except that which is authenticated,
authorized, encrypted, and untampered with.  That means that all traffic
that could possibly be suspected of anything overt is dropped (e.g.
malformed packets are dropped, icmp is dropped, anything that is not on
the up and up as an ipsec packet is dropped).  A firewall typically is set
up to discard all traffic except x, y, and z protocols from these SIDs to
those DIPs for both incoming and outgoing packets, according to that
site's needs.  A firewall these days typically keeps a state table to make
sure that packets that say they are part of a session in progress really
are part of that instead of a scan or DOS.  Additionally, many firewalls
no inspect the contents of packets to make sure that if they are on port
80 they are http traffic, etc.  A VPN switch does all of this.  As far as
intent goes, a firewall is intended to protect the inner network from
unauthorized traffic.

Now all of the above makes a vpn switch seem just like a firewall, albeit
a specialized one.  And that is my point--it is a firewall in the broadest
sense of the term.  However, the reason that I agree with your original
statement "a VPN is not a firewall" is because I believe it to be a piece
of a firewall, with a firewall being a system instead of a monlithic black
box.  E.g. border router that filters out obvious crud like teardrop and
pac-man, keeps DDOSes from happening by stopping internal machines from
spoofing outgoing packets, guards against spoofed packets from the outside
getting in, etc.; behind that is a dmz, a vmz, wanmz, and a wlanmz,
(these respectively containing application proxies and internet servers, 
vendors' machines that need the vendor to have administrative access and 
crap like pc-anywhere, untrusted wan connections, and wlan connections) on
the other side of these is a stateful content-inspecting packet filter.
Parallel to this, after the border router, is the VPN switch.  After the
filter and VPN switch comes a malware checker--av, trojans, java, activex,
visual basic, macros, etc..  In addition to this might be some IDS systems
in various zones, including one internally for good measure.

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards