Firewall Wizards mailing list archives
RE: VPN concentrators
From: Patrick Darden <darden () armc org>
Date: Tue, 27 Aug 2002 08:30:25 -0400 (EDT)
By the way - a VPN is not a firewall... The encrypted traffic hitting the VPN must be validated after decryption is performed... This is the reason why, sometimes, a VPN+Firewall in one box (e.g. checkpoint) will be a good solution, or a firewall-VPN-firewall "sandwich" will be also used.Just my 2c.Ditto (and agreeing...)
I happen to agree that a vpn engine is not a firewall, but you two have put your foot in it by stating this. Nobody really agrees as to what a firewall is, exactly. However, I would have to say that a vpn engine certainly does what a firewall typically does. A vpn engine (e.g. ipsec, 3des, sha1) discards ALL traffic except that which is authenticated, authorized, encrypted, and untampered with. That means that all traffic that could possibly be suspected of anything overt is dropped (e.g. malformed packets are dropped, icmp is dropped, anything that is not on the up and up as an ipsec packet is dropped). A firewall typically is set up to discard all traffic except x, y, and z protocols from these SIDs to those DIPs for both incoming and outgoing packets, according to that site's needs. A firewall these days typically keeps a state table to make sure that packets that say they are part of a session in progress really are part of that instead of a scan or DOS. Additionally, many firewalls no inspect the contents of packets to make sure that if they are on port 80 they are http traffic, etc. A VPN switch does all of this. As far as intent goes, a firewall is intended to protect the inner network from unauthorized traffic. Now all of the above makes a vpn switch seem just like a firewall, albeit a specialized one. And that is my point--it is a firewall in the broadest sense of the term. However, the reason that I agree with your original statement "a VPN is not a firewall" is because I believe it to be a piece of a firewall, with a firewall being a system instead of a monlithic black box. E.g. border router that filters out obvious crud like teardrop and pac-man, keeps DDOSes from happening by stopping internal machines from spoofing outgoing packets, guards against spoofed packets from the outside getting in, etc.; behind that is a dmz, a vmz, wanmz, and a wlanmz, (these respectively containing application proxies and internet servers, vendors' machines that need the vendor to have administrative access and crap like pc-anywhere, untrusted wan connections, and wlan connections) on the other side of these is a stateful content-inspecting packet filter. Parallel to this, after the border router, is the VPN switch. After the filter and VPN switch comes a malware checker--av, trojans, java, activex, visual basic, macros, etc.. In addition to this might be some IDS systems in various zones, including one internally for good measure. -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN concentrators, (continued)
- Re: VPN concentrators scouser (Aug 26)
- Re: VPN concentrators Patrick Darden (Aug 27)
- Re: VPN concentrators B. Scott Harroff (Aug 26)
- Re: VPN concentrators Daniel Linder (Aug 28)
- Re: VPN concentrators Patrick Darden (Aug 28)
- RE: VPN concentrators Ben Nagy (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators R. DuFresne (Aug 27)
- RE: VPN concentrators Patrick Darden (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 29)
- RE: VPN concentrators R. DuFresne (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 30)