Firewall and VPN Device
David Goldsmith
dgoldsmi at erols.com
Mon Oct 25 10:09:25 EDT 1999
Of those two, I would say the second where the VPN device is inside the
firewall.
The firewall would have to allow external access to the VPN device for IP
protocols 50 and 51 (AH/ESP) and UDP port 500 (IKE).
If you used the first, then all of your "secure" traffic would now be open
and have to be filtered by the firewall.
A third solution that is common is a parallel implementation. The firewall
filters all unsecure traffic but the secure traffic is allowed to bypass it.
R/S
Dave Goldsmith
dgoldsmi at erols.com
-----Original Message-----
From: S Ramakrishnan <rk_ at mailcity.com>
To: 'vpn at listserv.secnetgroup.com' <vpn at listserv.secnetgroup.com>
Date: Thursday, October 21, 1999 10:08 AM
Subject: Firewall and VPN Device
>Consider the two configurations:
>
> <ISP>-<router>-<vpn device>-<firewall>-<LAN>
>
>and
>
> <ISP>-<router>-<firewall>-<vpn device>-<LAN>
>
>
>Which of these is more commonly deployed?
>In the second case, since the firewall
>cannot see the IP payload (assuming that
>IPSec is used in tunnel mode), what
>should be the rules on the firewall
>to permit incoming IPSec flows? Willthe
>firewall only permit IKE, AH and ESP
>protocols?
>
>
>- sr
>
>
>Get your FREE Email at http://mailcity.lycos.com
>Get your PERSONALIZED START PAGE at http://my.lycos.com
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties. If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************
>
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list