Doubts about firewall Cisco PIX as VPN termination device
lists at FIPS.DE
Tue Jan 23 05:29:23 EST 2001
On 22/01/2001, Christopher S. Gripp <cgripp at AXCELERANT.COM> wrote To VPN at SECURITYFOCUS.COM:
> a couple of words in regards to #2. STRONG AUTHENTICATION
And some else, see below
> > 2. it is not good practice to do so as any
> > compromise of a VPN
> > connection can also compromise the firewall
> > best practices is to pass the vpn connection through the
> > firewall onto an
> > endpoint on a separate subnet, then pass the connection back
> > through the
> > firewall to allow you to limit where they go....
> I really disagree with the logic of this. If you have the
> VPN server behind your firewall, You have now lost all
> protection from your firewall if someone compromises
> your VPN. Yes, your firewall will still keep other people
> out, but the guy that hacked your VPN is now inside your
> network with wide open trusted access to everything. Most
> likely even the firewall.
He is not in the trusted network then ..
> I would say the most secure setup would be to have your
> VPN server out in your DMZ ahead of your firewall. Terminated
Graeme wrote "separate Subnet" - which is per se an additional
DMZ in my eyes. I think he was talking about something like that:
---| FW |---LAN
| +--DMZ1 (Mailserver, etc..)
+-----DMZ2 (VPN Endpoint)
So you protect the VPN Endpoint with the Firewall, but also all
unencrypted traffic from there into DMZ1 or LAN, if someone is
already 'inside' the VPN.
> on a separate interface on your firewall and you only allow
> the VPN's session access to specific things behind your
It seems you have just overread the part 'separate' :>
I agree w/ the following points, which are mainly set w/ the
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>
%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.
[X] <-- nail here for new monitor
VPN is sponsored by SecurityFocus.COM
More information about the VPN