[vpn] VPN tunnel termination????

Adam Safier safiera at gss-inc.com
Thu Oct 25 21:57:27 EDT 2001

In the ideal world you would have multiple layers and the VPN device would
pass non-VPN traffic at wire speed. In the real world you don't have the
budget and the VPN device is often dropped in a DMZ, creating routing issues
for the return traffic. Often you end up using NAT on the inside.

There are at least two flavors of VPN, Gateway to Gateway and Client to
Gateway. In many cases the gateway-gateway VPN has only primitive rules for
limiting connections. For example you only get to pick ports and IP's but
lose the option to force user authentication or additional content
filtering. You must do that on from a subsequent firewall. Client to gateway
VPN usually includes authentication options for the users and often can do
other firewall stuff (content filtering). Sometimes the same authentication
mechanism can be used for non-VPN users.

My favorite layout is:

Internet---Router/ACL FW---(Firewall/Gateway-Gateway
VPN)---(Authentication/Client-Gateway VPN)---Internal Firewall---Inside

Usually the external router and Gateway-Gateway VPN are rolled into one with
ACLs providing primitive firewalling. The internal firewall and Client VPN
are rolled into a second box.

Internet---(Router/ACL FW/G-G VPN)---(Authentication/C-G

Ideally the internal box has static routes and no routing protocol is
running while the external can have BGP etc.

Your mileage will vary with security policy, budget, politics, vendor and
existing network design.


-----Original Message-----
From: Christopher Gripp [mailto:cgripp at axcelerant.com]
Sent: Wednesday, October 24, 2001 5:34 PM
To: Cardona, Alberto; vpn at securityfocus.com;
FW-1-MAILINGLIST at beethoven.us.checkpoint.com
Subject: RE: [vpn] VPN tunnel termination????

1.  Performance.

Let firewalls be firewalls, routers be routers, and VPN devices be VPN
devices.  The caveat there is price and expediency of deployment.  I.e.
if you already own a Checkpoint firewall it won't be too difficult to
start running a VPN to it.  Reasons 2, 3, and 4 make this my least
favorite option.

2.  Layered security.

This architecture goes out the door if you use the same firewall box for
your VPN.  In my world, VPN boxes have firewalling functionality on them
but, are not my company's firewalls.  Make sense?

3.  Availability.

I don't like having ALL my critical devices on one box.  Having a single
firewall to the internet that is also my VPN box is a viable solution
for a small business where cost is critical and security is a residual
effect.  Not for a mission critical Enterprise.

4.  Flexibility. (sometimes read as, extra administrative burden!)

For an Enterprise class solution my preference, not that I get my way
every time, is to have a border firewall with the VPN device behind that
and another firewall behind the VPN.  If the VPN device has a firewall
on it then the border firewall isn't an absolute necessity but, it
certainly adds to the difficulty in compromising the network.

There are distinct advantages to having a firewall in front of AND
behind the VPN.

Having it in front of the VPN provides protection from attempts to
compromise the VPN device itself from the outside(Internet) and
protection from DoS attacks.  I can limit the traffic to only IPSec
related protocols and thus prevent attempts to telnet, SSH or whatever
directly to the VPN device.

Having one behind the VPN provides you with the ability to regulate the
traffic coming from within the VPN network.  I can't do any traffic
filtering or protocol based authentication or filtering when the traffic
is still encrypted.  But, once I have decrypted it, I can run it through
another firewall and then have those options.  So, if I want to limit a
particular group of users to a particular set of protocols or even
systems when they are VPNing in then I can do that with the additional

Hope that helps.

Christopher Gripp
Systems Engineer

"To have a right to do a thing is not at all the same as to be right in
doing it."

-G.K. Chesterton

-----Original Message-----
From: Cardona, Alberto [mailto:alberto.cardona at cnacm.com]
Sent: Wednesday, October 24, 2001 1:06 PM
To: vpn at securityfocus.com;
'FW-1-MAILINGLIST at beethoven.us.checkpoint.com'
Subject: [vpn] VPN tunnel termination????

Does any anyone know what are the security ramifications if you
terminate a
VPN tunnel
to a router instead of a firewall/router.
For example is it safer to do a Check Point/Nokia to Check Point/Nokia
PIX to PIX VPN tunnel
OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750).



VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list