Firewall and VPN Device
jason.dowd at us.pwcglobal.com
jason.dowd at us.pwcglobal.com
Thu Oct 21 10:58:15 EDT 1999
The first is more common.
For the second configuration, your should permit traffic to the VPN server
that is destined for UDP 500 and IP protocols 50 and 51.
However, you should also consider that neither of these configurations is
the most common when using a dedicated VPN appliance. What our clients seem
to like the best is:
<ISP>-<router>--<firewall>--<LAN>
| |
-<vpn>------
or a parallel configuration. This way, extensive reconfiguration of the
firewall is not necessary, and firewall and vpn administration can be more
easily divided. Their are issues with this configuration, though. One is
security. This is not always ideal for less than trusted connections. The
second is routing. Vanilla IPSec used for remote access will not route in
this scenario, and it will be necessary to either make use of proprietary
IPSec extensions or an additional protocol such as PPTP running over IPSec.
Jason
S Ramakrishnan <rk_ at mailcity.com> on 10/20/99 03:16:46 PM
To: "'vpn at listserv.secnetgroup.com'" <vpn at listserv.secnetgroup.com>
cc:
Subject: Firewall and VPN Device
Consider the two configurations:
<ISP>-<router>-<vpn device>-<firewall>-<LAN>
and
<ISP>-<router>-<firewall>-<vpn device>-<LAN>
Which of these is more commonly deployed?
In the second case, since the firewall
cannot see the IP payload (assuming that
IPSec is used in tunnel mode), what
should be the rules on the firewall
to permit incoming IPSec flows? Willthe
firewall only permit IKE, AH and ESP
protocols?
- sr
Get your FREE Email at http://mailcity.lycos.com
Get your PERSONALIZED START PAGE at http://my.lycos.com
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
----------------------------------------------------------------
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list