Firewall and VPN Device

S Ramakrishnan rk_ at mailcity.com
Mon Oct 25 18:13:12 EDT 1999 


On Fri, 22 Oct 1999 17:24:34   Steve J Kuo wrote:

  >                      |--<firewall>-----|
  >   <ISP>---<router>---|       |         |---<LAN>
  >                      |       |
  >                      |--<vpn device>
  >
  >The incoming encrypted traffic goes to the VPN box directly (there is no mush
  >benefit for it to go thorugh a firewall anyway).  However, the decrypted taffics
  >have to go through a firewall for access control.

There is redundant policy enforcement here. Hopefully, the VPN tunnels have 
been instantiated based on policies
consistent with the firewall
policies. Why subject the VPN-okayed
incoming traffic to firewall
filtering again?

Should the fireall policies not be consistent
with the tunnel policies, this
will end up discarding well-formed
VPN traffic from tunnels that were 
setup "as per the rules".

Rk

  >Steve
>
>
>
>
>
>"David Mostardi" <davidm at mdli.com> on 10/22/99 12:26:19 AM
>
>To:   "'vpn at listserv.secnetgroup.com'" <vpn at listserv.secnetgroup.com>
>cc:    (bcc: Steve J Kuo/Dallas/Mobil-Notes)
>Subject:  Re: Firewall and VPN Device
>
>
>
>
>
>On Oct 21,  7:12, S Ramakrishnan wrote:
>
>> Consider the two configurations:
>>
>>   <ISP>-<router>-<vpn device>-<firewall>-<LAN>
>>
>> and
>>
>>   <ISP>-<router>-<firewall>-<vpn device>-<LAN>
>>
>> Which of these is more commonly deployed?
>
>
>There is a 3rd configuration, where the firewall
>and VPN box sit side-by-side.  The firewall
>continues to monitor most Internet services,
>except it leaves incoming VPN connections to the
>VPN box.
>
>
>                      |--<firewall>-----|
>   <ISP>---<router>---|                 |---<LAN>
>                      |--<vpn device>---|
>


---
S Ramakrishnan
"... from the sunny shores of California ..."
rk_ at mailcity.com, (408) 616.3100



Get your FREE Email at http://mailcity.lycos.com
Get your PERSONALIZED START PAGE at http://my.lycos.com

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list