Firewall and VPN Device
S Ramakrishnan
rk_ at mailcity.com
Mon Oct 25 18:13:12 EDT 1999
On Fri, 22 Oct 1999 17:24:34 Steve J Kuo wrote:
> |--<firewall>-----|
> <ISP>---<router>---| | |---<LAN>
> | |
> |--<vpn device>
>
>The incoming encrypted traffic goes to the VPN box directly (there is no mush
>benefit for it to go thorugh a firewall anyway). However, the decrypted taffics
>have to go through a firewall for access control.
There is redundant policy enforcement here. Hopefully, the VPN tunnels have
been instantiated based on policies
consistent with the firewall
policies. Why subject the VPN-okayed
incoming traffic to firewall
filtering again?
Should the fireall policies not be consistent
with the tunnel policies, this
will end up discarding well-formed
VPN traffic from tunnels that were
setup "as per the rules".
Rk
>Steve
>
>
>
>
>
>"David Mostardi" <davidm at mdli.com> on 10/22/99 12:26:19 AM
>
>To: "'vpn at listserv.secnetgroup.com'" <vpn at listserv.secnetgroup.com>
>cc: (bcc: Steve J Kuo/Dallas/Mobil-Notes)
>Subject: Re: Firewall and VPN Device
>
>
>
>
>
>On Oct 21, 7:12, S Ramakrishnan wrote:
>
>> Consider the two configurations:
>>
>> <ISP>-<router>-<vpn device>-<firewall>-<LAN>
>>
>> and
>>
>> <ISP>-<router>-<firewall>-<vpn device>-<LAN>
>>
>> Which of these is more commonly deployed?
>
>
>There is a 3rd configuration, where the firewall
>and VPN box sit side-by-side. The firewall
>continues to monitor most Internet services,
>except it leaves incoming VPN connections to the
>VPN box.
>
>
> |--<firewall>-----|
> <ISP>---<router>---| |---<LAN>
> |--<vpn device>---|
>
---
S Ramakrishnan
"... from the sunny shores of California ..."
rk_ at mailcity.com, (408) 616.3100
Get your FREE Email at http://mailcity.lycos.com
Get your PERSONALIZED START PAGE at http://my.lycos.com
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list