[vpn] VPN tunnel termination????

Christopher Gripp cgripp at axcelerant.com
Wed Oct 24 17:33:58 EDT 2001

1.  Performance.

Let firewalls be firewalls, routers be routers, and VPN devices be VPN
devices.  The caveat there is price and expediency of deployment.  I.e.
if you already own a Checkpoint firewall it won't be too difficult to
start running a VPN to it.  Reasons 2, 3, and 4 make this my least
favorite option.

2.  Layered security.

This architecture goes out the door if you use the same firewall box for
your VPN.  In my world, VPN boxes have firewalling functionality on them
but, are not my company's firewalls.  Make sense?

3.  Availability.

I don't like having ALL my critical devices on one box.  Having a single
firewall to the internet that is also my VPN box is a viable solution
for a small business where cost is critical and security is a residual
effect.  Not for a mission critical Enterprise.

4.  Flexibility. (sometimes read as, extra administrative burden!)

For an Enterprise class solution my preference, not that I get my way
every time, is to have a border firewall with the VPN device behind that
and another firewall behind the VPN.  If the VPN device has a firewall
on it then the border firewall isn't an absolute necessity but, it
certainly adds to the difficulty in compromising the network.

There are distinct advantages to having a firewall in front of AND
behind the VPN.

Having it in front of the VPN provides protection from attempts to
compromise the VPN device itself from the outside(Internet) and
protection from DoS attacks.  I can limit the traffic to only IPSec
related protocols and thus prevent attempts to telnet, SSH or whatever
directly to the VPN device.

Having one behind the VPN provides you with the ability to regulate the
traffic coming from within the VPN network.  I can't do any traffic
filtering or protocol based authentication or filtering when the traffic
is still encrypted.  But, once I have decrypted it, I can run it through
another firewall and then have those options.  So, if I want to limit a
particular group of users to a particular set of protocols or even
systems when they are VPNing in then I can do that with the additional

Hope that helps.

Christopher Gripp 
Systems Engineer 

"To have a right to do a thing is not at all the same as to be right in
doing it."

-G.K. Chesterton

-----Original Message-----
From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com]
Sent: Wednesday, October 24, 2001 1:06 PM
To: vpn at securityfocus.com;
'FW-1-MAILINGLIST at beethoven.us.checkpoint.com'
Subject: [vpn] VPN tunnel termination????

Does any anyone know what are the security ramifications if you
terminate a
VPN tunnel
to a router instead of a firewall/router.
For example is it safer to do a Check Point/Nokia to Check Point/Nokia
PIX to PIX VPN tunnel 
OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750).



VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list