[vpn] VPN tunnel termination????

dgillett at deepforest.org dgillett at deepforest.org
Wed Oct 24 18:29:34 EDT 2001


On 24 Oct 2001, at 16:06, Cardona, Alberto wrote:

> Does any anyone know what are the security ramifications if you
> terminate a VPN tunnel to a router instead of a firewall/router. 
>
> For example is it safer to do a Check Point/Nokia to Check
> Point/Nokia or PIX to PIX VPN tunnel OR a router to router based
> tunnel (ex. Cisco 3640 to Cisco 1750). 
> 
> Thanks
> 
> AC


  Since the tunnel involves extending local network services to a 
remote site/client, I think it's wise to have that traffic traverse a 
packet logging/filtering point just outside the tunnel termination.

  That recommendation, though, could be used to support either answer 
to your question, depending on whether a given firewall 
implementation, in providing VPN tunnel termination, also filters 
that traffic.

  If you terminate the tunnel on a device in front of the firewall, 
you guarantee that the traffic can be filtered by the firewall, but 
you may also need to purchase an extra/larger router.
  On the other hand, firewalling, VPN termination, and NAT are all 
"security boundary" services, and it may be tricky to get these all 
right if they are spread across several devices.  A single device 
that provides all three limits your flexibility, hopefully only to 
sensible arrangements that do what you need.

David Gillett



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list