Doubts about firewall Cisco PIX as VPN termination device

Christopher S. Gripp cgripp at AXCELERANT.COM
Fri Jan 19 16:31:29 EST 2001

Hash: SHA1

a couple of words in regards to #2.  STRONG AUTHENTICATION

Something like 2 phase SecureID from RSA.

- -----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of
Longar, Dennis
Sent: Friday, January 19, 2001 7:42 AM
Subject: Re: Doubts about firewall Cisco PIX as VPN termination

> -----Original Message-----
> From: Graeme Rider [mailto:Graeme.Rider at COLESMYER.COM.AU]
> Sent: Wednesday, January 17, 2001 2:57 PM
> Subject: Re: Doubts about firewall Cisco PIX as VPN termination
> device
> can terminate a VPN connection on the firewall but:
> 	1.	a VPN connection is CPU and memory hungry

This is true, software VPN's are very CPU and memory hungry.
You need to consider this every time you set up a new vpn session
on your device.  Do I have enough memory?  Do I have enough CPU
for another session?

> 	2.	it is not good practice to do so as any
> compromise of a VPN
> connection can also compromise the firewall
> best practices is to pass the vpn connection through the
> firewall onto an
> endpoint on a separate subnet, then pass the connection back
> through the
> firewall to allow you to limit where they go....
> regards
> graeme rider

I really disagree with the logic of this.  If you have the
VPN server behind your firewall, You have now lost all
protection from your firewall if someone compromises
your VPN.  Yes, your firewall will still keep other people
out, but the guy that hacked your VPN is now inside your
network with wide open trusted access to everything.  Most
likely even the firewall.

I would say the most secure setup would be to have your
VPN server out in your DMZ ahead of your firewall. Terminated
on a separate interface on your firewall and you only allow
the VPN's session access to specific things behind your

Although If you have users that need wide open access to
your whole network, then your pretty much putting faith
in the fact that the VPN won't be compromised no matter
how you set it up.

Where to put/run your VPN server is a tough question.  It's
going to depend on everything from: network design; where
your VPN sessions need access to; is it for internal network
users; is it for connecting corporate partners; etc..

Some guidelines I use would be:

Always first consider a separate (Dedicated) VPN server.
If you have time and are willing to learn you can even check
out what's in the Open source.

Next look at your network design and what the people using
those VPN sessions will need access to.

Next look at the type of access they will need.

Next decide what type of VPN your going to use.  IPSEC, PPTP,
L2TP, GRE tunnel, proprietary VPN's...

Then you can pick what box your going to do it on and where
your going to terminate.

If you have a wide variety of access you may want to consider
breaking up your VPN sessions by what people need access too.
A corporate partner may only need access to very specific
segments or computers, this is a good candidate for VPN servers
that terminate out in your DMZ, or maybe a separate firewall.

I better stop now cause this is starting to get long, but
I think you get what I'm saying.

Everyone has different setup's and you have to consider a
number of elements before you can decide what's right for
your network. If you are just looking to do a VPN without
considering security, network design, and why your doing VPN's
then you need to hire someone to help you.


- -Dennis

VPN is sponsored by SecurityFocus.COM

Version: PGPfreeware 6.5.8 for non-commercial use <>


VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list