Firewall and VPN Device

Fullerton, Glenn gfullerton at talisman-energy.com
Tue Oct 26 10:00:55 EDT 1999


I like the VPN inside the firewall and on a seperate port on the internal
router (if you have one).

My setup is Internet ---> Router -----> Firewal ------> Router
----->Internal
                                                     
I do it this way for a couple of reasons......

I use the firewall to only allow through the protocols/ports required to run
IPsec to that device.  I do not like having every port open possible to
attack an incoming device.

I then reoute the vpn traffic to its own port.  This could be its own port
on the firewall aswell.  This way I get a dmz type network that can be
viewed from the Internet but only for the protocols and ports my firewall
allows.  The internal port on the vpn then goes onto the internal network.

- only allow through what you need
- divide incoming and outgoing traffic if you can (seperate ports on the
firewall/router etc)

Just my ideas

Glenn

-----Original Message-----
From: David Goldsmith [mailto:dgoldsmi at erols.com]
Sent: Monday, October 25, 1999 8:09 AM
To: vpn at listserv.secnetgroup.com
Subject: Re: Firewall and VPN Device


Of those two, I would say the second where the VPN device is inside the
firewall.
The firewall would have to allow external access to the VPN device for IP
protocols 50 and 51 (AH/ESP) and UDP port 500 (IKE).

If you used the first, then all of your "secure" traffic would now be open
and have to be filtered by the firewall.

A third solution that is common is a parallel implementation. The firewall
filters all unsecure traffic but the secure traffic is allowed to bypass it.

R/S

Dave Goldsmith
dgoldsmi at erols.com

-----Original Message-----
From: S Ramakrishnan <rk_ at mailcity.com>
To: 'vpn at listserv.secnetgroup.com' <vpn at listserv.secnetgroup.com>
Date: Thursday, October 21, 1999 10:08 AM
Subject: Firewall and VPN Device


>Consider the two configurations:
>
>  <ISP>-<router>-<vpn device>-<firewall>-<LAN>
>
>and
>
>  <ISP>-<router>-<firewall>-<vpn device>-<LAN>
>
>
>Which of these is more commonly deployed?
>In the second case, since the firewall
>cannot see the IP payload (assuming that
>IPSec is used in tunnel mode), what
>should be the rules on the firewall
>to permit incoming IPSec flows? Willthe
>firewall only permit IKE, AH and ESP
>protocols?
>
>
>- sr
>
>
>Get your FREE Email at http://mailcity.lycos.com
>Get your PERSONALIZED START PAGE at http://my.lycos.com
>
>****************************************************************
>TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
>The VPN FAQ (under construction) is available at
>http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
>
>We are currently experiencing "unsubscribe" difficulties.  If you
>wish to unsubscribe, please send a message containing the single line
>"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
>
>****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list