Doubts about firewall Cisco PIX as VPN termination device

Philipp Buehler lists at FIPS.DE
Tue Jan 23 05:29:23 EST 2001 

On 22/01/2001, Christopher S. Gripp <cgripp at AXCELERANT.COM> wrote To VPN at SECURITYFOCUS.COM:
>
> a couple of words in regards to #2.  STRONG AUTHENTICATION
And some else, see below

> > 	2.	it is not good practice to do so as any
> > compromise of a VPN
> > connection can also compromise the firewall
> > best practices is to pass the vpn connection through the
> > firewall onto an
> > endpoint on a separate subnet, then pass the connection back
> > through the
> > firewall to allow you to limit where they go....
>
> I really disagree with the logic of this.  If you have the
> VPN server behind your firewall, You have now lost all
> protection from your firewall if someone compromises
> your VPN.  Yes, your firewall will still keep other people
> out, but the guy that hacked your VPN is now inside your
> network with wide open trusted access to everything.  Most
> likely even the firewall.
He is not in the trusted network then ..

> I would say the most secure setup would be to have your
> VPN server out in your DMZ ahead of your firewall. Terminated
Graeme wrote "separate Subnet" - which is per se an additional
DMZ in my eyes. I think he was talking about something like that:

   +----+
---| FW |---LAN
   +----+
    |  |
    |  +--DMZ1 (Mailserver, etc..)
    +-----DMZ2 (VPN Endpoint)

So you protect the VPN Endpoint with the Firewall, but also all
unencrypted traffic from there into DMZ1 or LAN, if someone is
already 'inside' the VPN.

> on a separate interface on your firewall and you only allow
> the VPN's session access to specific things behind your
> firewall.
It seems you have just overread the part 'separate' :>
I agree w/ the following points, which are mainly set w/ the
above setup.

ciao
--
Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | <double-p>
%SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time.
Artificial Intelligence stands no chance against Natural Stupidity.
           [X] <-- nail here for new monitor

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list