Firewall Wizards mailing list archives

RE: VPN concentrators

From: Nilesh Chaudhari <nileshch () yahoo com>
Date: Thu, 29 Aug 2002 20:51:57 +0100 (BST)

Of all the responses that I have seen in the preceding messages, I did
not find a simple solution shown by anybody. Let me show you what I
have done for VPN at my gateway - 

                    DMZ
                     |
                     +--(ids)
                     |
inet=====rtr---+--firewall---internal
        [+vpn] |
               |
             (ids)

=== Encrypted traffic
--- Unencrypted traffic

i do not claim this to be the simplest/most secure of all solutions,
but it is pretty easy & reasonably secure allowing flexible policy
enforcement.

Nilesh Chaudhari.

 --- Patrick Darden <darden () armc org> wrote: >

7.  Adding an additional rtr doesn't really do anything security-wise
8.  throwing the vpn between 2 firewalls is illustrated in #1. 
Throwing
in an additional router doesn't do anything security-wise.

--
--Patrick Darden                Internetworking Manager             
--                              706.475.3312    darden () armc org
--                              Athens Regional Medical Center


On Thu, 29 Aug 2002, Crispin Harris wrote:

7.  inet--rtr---vpn---intfw--rtr(internal)
             `-extfw-'
8.  inet--rtr--extfw-+---intfw--rtr(internal)
                     `-vpn-'    (on third interface of internal

firewall[1])


Bear in mind that this up's both the budget and the complexity

somewhat. To

further 'up the ante', one firewall should be SPF (stateful packet

filter,

or equivalent) and the other ALG (Application Layer Gateway, layer

proxies)[2]. 

I have had a number of clients for whom this style of architecture

was the

only appropriate[4] design.

Regards,
    Crispin Harris

BTW: I tend to believe that 3 interfaces (out, in, side) is as few

as a

corporate internet gateway can include, and I have had

installations with as

many as 9 on two layers (out, in, between, web, partner,

transaction,

vpn/remote_users, dns/mail, application). 

[1] This is building on the concept of Separation of Security

Zones[3]. The

interface on which the VPN concentrator is terminated is also home

to any

corporate dial-in pool, or Telco "Private IP networking" services.
[2] Most environments which require this sort of setup would also

require

EAL4 (or equivalent) accreditations on the firewall devices.
[3] Mind blank on the correct term, been a while, but any good book

on

traditional security architectures should be able to explain it.
[4] Read "Compliant".

-----Original Message-----
From: Patrick Darden [mailto:darden () armc org]
Sent: Wednesday, August 28, 2002 10:33 PM
To: Daniel Linder
Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] VPN concentrators

If you add up all the 2 cent disagreements with what I have stated,

you

get a good buck fifty!  Some of it was from people who

misunderstood what

was stated, but a good bit of it was made by people who understand

the

issues, and simply disagree--sometimes for obvious reasons.

I think we can sum it up though (concentrating on vpn positioning):

1.  inet--rtr--firewall--vpn--firewall--internal    some recommend
2.  inet--rtr--vpn--internal                                only I recommend?
3.  inet--rtr--vpn--firewall--internal                      many recommend
4.  inet--rtr--firewall--vpn--dmz                   some recommend
5.  inet--rtr--vpn--vmz                                     only I recommend?
             --vpn--vmz                                 trust zones
             --vpn--internal
             --vpn--internal
6.

inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inet

                                                    paranoid's dream


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


________________________________________________________________________
Want to sell your car? advertise on Yahoo Autos Classifieds. It's Free!!
       visit http://in.autos.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: VPN concentrators, (continued)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
- RE: VPN concentrators Crispin Harris (Aug 26)
  - RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators Brian Ford (Aug 27)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 27)
  - RE: VPN concentrators R. DuFresne (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 29)
  - RE: VPN concentrators Patrick Darden (Aug 29)
    - RE: VPN concentrators Nilesh Chaudhari (Aug 29)
    - RE: VPN concentrators R. DuFresne (Aug 29)
    - RE: VPN concentrators Nilesh Chaudhari (Aug 30)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 30)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 30)