[vpn] VPN and firewall question

Mark Priebatsch mark.priebatsch at activcard.com.au
Thu Oct 11 04:27:47 EDT 2001



-----Original Message-----
From: Igor Pronin [mailto:Igor.Pronin at Elma.Net]
Sent: 11 October 2001 06:27
To: vpn at securityfocus.com
Subject: Re: [vpn] VPN and firewall question



----- Original Message -----
From: "Mark Priebatsch" <mark.priebatsch at activcard.com.au>

> Sorry could you explain further.  If the client is running a VPN
client to a
> VPN gateway and it has been set that it will only receive encrypted
traffic

Some kind of a firewall ? Is it also restricted by the sender IP address
i.e. only VPN Gateway allowed?

Not certain I understand what you mean here. I am not saying that it is
providing firewall functions, just that on the client it only allows
communications to and from the VPN gateway. The VPN gateway is behind a
firewall etc.

> on its network interface when connected to/from the VPN gateway, then
how
> can another Internet user get access to the PC while connected.
> (0.0.0.0/0.0.0.0 is handled by teh VPN Gateway.  I know that this has
some
> requirements on the IPSec driver.
>
> I am not covering off the scenarios of when not VPN connected, and/or
the
> IPSsec driver running in passive/unconnected mode, just for when the
PC is
> connected.

At least the network/VPN I am administering has VPN and ordinary,
uncrypted connections (all outgoing) at the same time the only
difference being the destination IP address - only communications to
company Intranet is VPN (IPSec). Incoming communications is restricted
by firewall. I can have some connections open through the VPN tunnel and
other connections uncrypted both going through the ISP used. In practice
all VPN connections are to my company and uncrypted connections
elsewhere.  So the computer is all the time "open" to the net (but
secured by the firewall).

VPN (IPsec) is not equal Firewall. They have different functions and can
be different boxes and/or programs but can be combined in the same box
and/or program. They take care of different sides of the security
problem. And BTW there still is the security problem which cannot be
covered by any box nor program: human negligence and/or error and
similar.


Agreed - the model is along the lines of:

		   Internet
			 ^
			 |
CLIENT <---(via Internet)----F/W------->VPN GATEWAY -----> Intranet
   |							   |
   ==========================================  (IPSec tunnel)

Client network interface set to only accept authenticated/encrypted packets
from the gateway.  All routing for the Client when connected is via the
Gateway. Main purpose would be to stop Internet Hi-Jacking

regards

Igor.Pronin at iki.fi



VPN is sponsored by SecurityFocus.com



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list