Firewall Wizards mailing list archives

Re: Opinions on VPN?

From: dreamwvr <dreamwvr () dreamwvr com>
Date: Mon, 19 Apr 1999 17:00:29 -0600

hi,
   great thread! to elaborate IMHO it should be done in parallel with the 
firewall. like below...


Internet -------| BastionA |-------------[ Int Net ]

                | BastionA | 
                     |
VPN-------------- VPN GW
that way all traffic going out us evaluated by firewall then
pours out the interface dedicated to VPN GW where it is encrypted 
and sent along its merry way. incoming VPN GW handles only VPN 
traffic and once reverse engineered ;-) decrypted it is evaluated 
by the firewall before continuing any further. the top Internet 
side interface handles all other internet traffic flow period..
well FWIW that is my opinion:-)
                                                        Regards,
                                                        dreamwvr () dreamwvr com
At 01:34 PM 4/19/99 +0200, Andreas Gunnarsson wrote:

On Sat, 17 Apr 1999, Jan B. Koum  wrote:

     Am I alone in the opinion that VPN mostly suck or is it just
because I tend to run into a lot of misconfigured cisco routers which
do encrypt data, but also route packets from others into your net :(


I think VPN is a useful tool but you shouldn't allow a VPN through a
firewall IMHO. Here is a way to use a VPN:

Internal net ----- Firewall ----- external net
                     |
                VPN-gateway

The firewall lets only ipsec (or whatever the VPN is using) through from
the outside to the VPN-gateway, and then the firewall can filter the
unencrypted traffic that goes to the internal net.

If two sites connects this way it should be as secure as the VPN and
firewalls. If mobile clients connects to the VPN you have to make sure
that the client itself is secure so it can't be used as a way into the VPN
via NetBus etc.

  Andreas

---------------------------------------------------------------------------

---

Andreas Gunnarsson                                         Nat:

031-7476081

andreas.gunnarsson () emw ericsson se                         Int: +46 31

http://www.dd.chalmers.se/~zzlevo/                         Fax:

031-7473771

Reuters, London, February 29, 1998: 
Scientists have announced discovering a meteorite which will strike the 
earth in March, 2028.  Millions of UNIX coders expressed relief for being 
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL INTERNET SERVICES
Featuring Website Development and Web Strategies of a TOP Developer 
By Hand Since the Web Began.. Design, Development, Integration, Security
<http://www.dreamwvr.com/services/MAX_SEC.html>
DREAMWVR.COM - The Console of Many... 24 X 7 Evolution Internet
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
<*<*<* Proud Linux-Mandrake Distributor *>*>*>
<http://www.dreamwvr.com/mandrake/mandrake-dist.html>
"As Unique as the Company You Keep."        "===0 PGP Key Available  
________________________________________________________________________

Current thread:

Opinions on VPN? Jan B. Koum (Apr 18)
- Re: Opinions on VPN? Frederick M Avolio (Apr 19)
- Re: Opinions on VPN? Andreas Gunnarsson (Apr 19)
- Re: Opinions on VPN? Jonathan Poole (Apr 20)
- Re: Opinions on VPN? Rick Smith (Apr 20)
- Message not available
  - Re: Opinions on VPN? dreamwvr (Apr 20)
- <Possible follow-ups>
- Re: Opinions on VPN? Ryan Russell (Apr 19)
  - Re: Opinions on VPN? Paul M. Cardon (Apr 20)
- RE: Opinions on VPN? Kyle Starkey (Apr 20)
- RE: Opinions on VPN? Litney, Tom (Apr 20)
  - Re: Opinions on VPN? Philip S Holt, Security Engineer / Network Engineer (Apr 21)
- RE: Opinions on VPN? John McDonald (Apr 20)
  - RE: Opinions on VPN? dreamwvr (Apr 21)
    - RE: Opinions on VPN? Andreas Gunnarsson (Apr 22)
- RE: Opinions on VPN? Dendeni, Iyes (Apr 21)
- RE: Opinions on VPN? Litney, Tom (Apr 21)

(Thread continues...)