[VPN] VPN and FW separated or integrated ?

safieradam safieradam at hotmail.com
Wed Apr 2 14:00:02 EST 2003 

The VPN 3000 series is targeted at user to gateway VPN and has a good
feature set in that respect.  I've only seen the PIX used for site-site VPN.

The VPN 3000 will let you set up access groups and if you want you can
assign IP pools to the groups. The client seems to have an IP from the pool
even though the ISP gave them something totally different.  This allows
internal firewalls/routers to filter the VPN users by IP pool if your
resources are distributed by department/group.  If all your servers are
lumped on one subnet and you have minimal access control you can set up
ACL's on the Cisco box itself. You can also track the user by the IP address
throughout the internal network and, if you go to the trouble, your IDS
alarms can be cross referenced to the VPN log to identify the user ID that
set off the alarms.

The GUI and command line commands are easy to use and you don't really need
to know Cisco IOS.  I set up a 3015 concentrator and Cisco clients to work
with PKI and smart cards for authentication and suffered through only minor
tech glitches.  You also have Radius and Active Directory authentication
options.  However, you should be ready for Cisco to claim glitches are
features and point the finger at everyone else until they have a scheduled
upgrade release that may or may not fix the problem.  Still, the stuff works
well for the most part.

You might also want to look at other products as mentioned by others.  To
size your system consider how many simultaneous users will be on at the same
time and what your usage profile is going to be.  i.e. 300 users can
translate to 3 simultaneous users at any one time or to 300 VPN connections
up 10 hrs/day simultaneously.  Do you need to drop connections that are idle
for x-minutes for security/performance reasons or do you need to keep idle
connections up for fast response?  Do you do split tunneling (bad security)
or do you have users go through your corporate proxy to surf the web
(performance/capacity issues).  Try to profile the traffic as best you can
then develop some requirements then look at products.

Finally, the brain dead French have legal limitations on VPN encryption
strength, key escrow and generally an incompetent world security outlook.
Check your local laws before doing much of anything in France.

Adam Safier




----- Original Message -----
From: "Rudi Pierquin" <pierudi at yahoo.fr>
To: <vpn at lists.shmoo.com>
Sent: Monday, March 31, 2003 9:30 AM
Subject: [VPN] VPN and FW separated or integrated ?


> Hi,
>
> We are currently looking to implement a homeworking
> solution for max 300 users. For this matter, i am
> wondering if any of you could tell me what is the
> benifit in buying separetly VPN and firewall device.
> More specifically, comparing the Cisco VPN3000 box
> with the PIX firewall, can somebody tell me why should
> i use a VPN3000 box if a PIX535 with 6.3 software on
> it give me all the VPN and FW capabilities I could
> dream of ?
>
> Many thanks,
>
> Rudi
>
> ___________________________________________________________
> Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
> Yahoo! Mail : http://fr.mail.yahoo.com
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
>

More information about the VPN mailing list