Firewall Wizards mailing list archives
RE: VPN concentrators
From: Nilesh Chaudhari <nileshch () yahoo com>
Date: Thu, 29 Aug 2002 20:51:57 +0100 (BST)
Of all the responses that I have seen in the preceding messages, I did not find a simple solution shown by anybody. Let me show you what I have done for VPN at my gateway - DMZ | +--(ids) | inet=====rtr---+--firewall---internal [+vpn] | | (ids) === Encrypted traffic --- Unencrypted traffic i do not claim this to be the simplest/most secure of all solutions, but it is pretty easy & reasonably secure allowing flexible policy enforcement. Nilesh Chaudhari. --- Patrick Darden <darden () armc org> wrote: >
7. Adding an additional rtr doesn't really do anything security-wise 8. throwing the vpn between 2 firewalls is illustrated in #1. Throwing in an additional router doesn't do anything security-wise. -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Thu, 29 Aug 2002, Crispin Harris wrote:7. inet--rtr---vpn---intfw--rtr(internal) `-extfw-' 8. inet--rtr--extfw-+---intfw--rtr(internal) `-vpn-' (on third interface of internalfirewall[1])Bear in mind that this up's both the budget and the complexitysomewhat. Tofurther 'up the ante', one firewall should be SPF (stateful packetfilter,or equivalent) and the other ALG (Application Layer Gateway, layer4proxies)[2]. I have had a number of clients for whom this style of architecturewas theonly appropriate[4] design. Regards, Crispin Harris BTW: I tend to believe that 3 interfaces (out, in, side) is as fewas acorporate internet gateway can include, and I have hadinstallations with asmany as 9 on two layers (out, in, between, web, partner,transaction,vpn/remote_users, dns/mail, application). [1] This is building on the concept of Separation of SecurityZones[3]. Theinterface on which the VPN concentrator is terminated is also hometo anycorporate dial-in pool, or Telco "Private IP networking" services. [2] Most environments which require this sort of setup would alsorequireEAL4 (or equivalent) accreditations on the firewall devices. [3] Mind blank on the correct term, been a while, but any good bookontraditional security architectures should be able to explain it. [4] Read "Compliant". -----Original Message----- From: Patrick Darden [mailto:darden () armc org] Sent: Wednesday, August 28, 2002 10:33 PM To: Daniel Linder Cc: scouser () paradise net nz; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] VPN concentrators If you add up all the 2 cent disagreements with what I have stated,youget a good buck fifty! Some of it was from people whomisunderstood whatwas stated, but a good bit of it was made by people who understandtheissues, and simply disagree--sometimes for obvious reasons. I think we can sum it up though (concentrating on vpn positioning): 1. inet--rtr--firewall--vpn--firewall--internal some recommend 2. inet--rtr--vpn--internal only I recommend? 3. inet--rtr--vpn--firewall--internal many recommend 4. inet--rtr--firewall--vpn--dmz some recommend 5. inet--rtr--vpn--vmz only I recommend? --vpn--vmz trust zones --vpn--internal --vpn--internal 6.inet--rtr--firewall--firewall--vpn--firewall--firewall--rtr--inetparanoid's dream_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
________________________________________________________________________ Want to sell your car? advertise on Yahoo Autos Classifieds. It's Free!! visit http://in.autos.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN concentrators, (continued)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 26)
- RE: VPN concentrators Crispin Harris (Aug 26)
- RE: VPN concentrators Patrick Darden (Aug 27)
- RE: VPN concentrators Brian Ford (Aug 27)
- RE: VPN concentrators Schouten, Diederik (Diederik) (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 27)
- RE: VPN concentrators R. DuFresne (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 27)
- RE: VPN concentrators Crispin Harris (Aug 29)
- RE: VPN concentrators Patrick Darden (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 29)
- RE: VPN concentrators R. DuFresne (Aug 29)
- RE: VPN concentrators Nilesh Chaudhari (Aug 30)
- RE: VPN concentrators Patrick Darden (Aug 29)