[vpn] VPN tunnel termination????

Cardona, Alberto alberto.cardona at cnacm.com
Wed Oct 24 18:23:10 EDT 2001

I currently have 1 dedicated Firewall (FW-1/Nokia) used only for Internet
Browsing and 
a another separate one only for site to site VPN. I have many sites running
in a full blown VPN mesh.

On my site to site I have a 2 tier level security.  We have had no problems
so far.
1 platform dedicated just for Routing (Internet Router) and the another
platform dedicated for VPN (FW-1/Nokia).
An attacker would have to exploit both platforms to compromise the internal

Here comes my problem.

We are currently think in replacing our current setup with a Cisco router
based VPN.
We want to implement a design that uses a Cisco 1750 using the Firewall
add-on and Encryption accelerator card 
for our remote sites.
Theses Cisco's 1750 will then hub into a Cisco 7000 VPN router running Cisco
Firewall package and accelerator card.
We will have to 2 hubs located in different states which are connected to
each other via frame.
The tunnels between the 1750 and 7000 router are going to be GRE based with
IPSEC because of OSPF.
1 hub is going to be a Primary and the other a backup.  By using GRE, OSPF
should take care of the failover (I hope)
Each router at each location (Hub and remote site) is going to be connected
directly to the network.  
In other words, one connection to the LAN and the other to the Internet.

My question is does this compromise my level of security?  
Since I am only using a 1 tier level design by using a Cisco router to be a
VPN, Firewall and a router.



-----Original Message-----
From: Christopher Gripp [mailto:cgripp at axcelerant.com]
Sent: Wednesday, October 24, 2001 5:34 PM
To: Cardona, Alberto; vpn at securityfocus.com;
FW-1-MAILINGLIST at beethoven.us.checkpoint.com
Subject: RE: [vpn] VPN tunnel termination????

1.  Performance.

Let firewalls be firewalls, routers be routers, and VPN devices be VPN
devices.  The caveat there is price and expediency of deployment.  I.e.
if you already own a Checkpoint firewall it won't be too difficult to
start running a VPN to it.  Reasons 2, 3, and 4 make this my least
favorite option.

2.  Layered security.

This architecture goes out the door if you use the same firewall box for
your VPN.  In my world, VPN boxes have firewalling functionality on them
but, are not my company's firewalls.  Make sense?

3.  Availability.

I don't like having ALL my critical devices on one box.  Having a single
firewall to the internet that is also my VPN box is a viable solution
for a small business where cost is critical and security is a residual
effect.  Not for a mission critical Enterprise.

4.  Flexibility. (sometimes read as, extra administrative burden!)

For an Enterprise class solution my preference, not that I get my way
every time, is to have a border firewall with the VPN device behind that
and another firewall behind the VPN.  If the VPN device has a firewall
on it then the border firewall isn't an absolute necessity but, it
certainly adds to the difficulty in compromising the network.

There are distinct advantages to having a firewall in front of AND
behind the VPN.

Having it in front of the VPN provides protection from attempts to
compromise the VPN device itself from the outside(Internet) and
protection from DoS attacks.  I can limit the traffic to only IPSec
related protocols and thus prevent attempts to telnet, SSH or whatever
directly to the VPN device.

Having one behind the VPN provides you with the ability to regulate the
traffic coming from within the VPN network.  I can't do any traffic
filtering or protocol based authentication or filtering when the traffic
is still encrypted.  But, once I have decrypted it, I can run it through
another firewall and then have those options.  So, if I want to limit a
particular group of users to a particular set of protocols or even
systems when they are VPNing in then I can do that with the additional

Hope that helps.

Christopher Gripp 
Systems Engineer 

"To have a right to do a thing is not at all the same as to be right in
doing it."

-G.K. Chesterton

-----Original Message-----
From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com]
Sent: Wednesday, October 24, 2001 1:06 PM
To: vpn at securityfocus.com;
'FW-1-MAILINGLIST at beethoven.us.checkpoint.com'
Subject: [vpn] VPN tunnel termination????

Does any anyone know what are the security ramifications if you
terminate a
VPN tunnel
to a router instead of a firewall/router.
For example is it safer to do a Check Point/Nokia to Check Point/Nokia
PIX to PIX VPN tunnel 
OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750).



VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list