How and why would you run VPN traffic through 2 firewalls? Either you block the traffic, or you don't.
IPcop does run SuperFreeSwan, so really, anything he's trying to accomplish with SFS he could accomplish with IPcop. I won't argue that IPcop is the equal of some appliances, but for 80% of people, they really just want a VPN, and this will provide a rock solid solution. IPcop handles multiple external IPs simply and flawlessly through the GUI (I do it here), however, it becomes really ugly if you want two physical NICs rather than just aliases on a single NIC. IPcop could easily run as only a firewall (Shut off DHCP (I don't use it), Squid, Snort, etc) . I'm not sure if you mean only as a VPN box, which it could also do. Really, the firewalling piece is just a script, and if you wanted, it could easily be edited so that the firewalling code was ignored (then you'd just have a vpn box). Unless the VPN is enabled, it isn't used, same for the other services. So customizing it to suit a particular application should be no problem. For example: I needed to add a script for routing in my environment. In terms of security, you'd be hard pressed to beat IPcop. One of our Sonicwalls here can't connect to the IPcop box because the sonicwall doesn't support 3DES, and the IPcop box won't do DES. (I know there's an upgrade available) IPcop is a 3DES IPSEC vpn. Authentication can be either via Certificate or PSK. That's pretty standard, and would be equal to any other VPN appliance on the market currently. If you're going to use it heavily, I will say that the people making hardware sizing suggestions came from the MS camp. We run a P3-650 w 512megs RAM, and it's never below a load average of .30 I'd say .60 is more of an average. SCSI might help, but that *IS* a legitimate complaint about IPcop. Personally, I'd rather have a VPN either forwarded through the firewall, or sit on the firewall itself. If you run the VPN into a DMZ, you will pass unencrypted communication between the DMZ and the LAN. Since the purpose of the DMZ is (more or less) to be the compromiseable area, this wouldn't really sit too well with me. A DMZ should really have servers that do not need to communicate back into the corporate LAN. Web Servers, FTP Servers, perhaps Mail Servers, etc. These boxes would accept a connection from the LAN to them, but would have no way to initiate a connection from themself inside the LAN. This way, a compromise would allow an attacked to jump from box to box inside the DMZ, but not allow them inside the LAN. VPN traffic is authenticated end-to-end, and therefore, I'd be more willing to trust it. If someone can succesfully fake a legitimate IP address on the Internet, OR, if they can fake a certificate, you probably won't stop them anyway, IMO. If they're willing to go to that much trouble, they'd socially engineer their way into your LAN and hide a wireless NIC, or find some other way to bypass your security. Or use violence. Or pay someone off. Or whatever. If someone really wants your info, they WILL get it. I'm not saying IPcop is the ultimate solution, I just think that it's easy to set up, and will make setting up a VPN far easier than setting up SFS config files on your own. If nothing else, use IPcop to generate the conf files, and then put them onto another box. Kev. ----- Original Message ----- From: "Shawn Grover" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 31, 2003 4:03 PM Subject: RE: (clug-talk) VPN > With regards to SonicWalls, I've had recent experience with them, and after > 3 RMAs in a row (as requested by THEIR tech support) and never once being > able to get the thing to work properly (with their tech support help even). > I'll accept the fact that I may have been doing something odd, but I can't > see what. Bottom line is that I will not be recommending SonicWall in the > near future. However, it's rare that I need to recommend that type of > hardware, so this probably is a non-issue. > > As for Brian's VPN, I know a bit about what he's trying to do, and I'm not > sure if IPCop is a proper solution. He needs a VPN server sitting behind > two firewalls (external, and internal, with DMZ between), or even sitting in > DMZ. These firewalls do more than IPCop was designed for (multiple external > IPs - yes I know IPCop can do this, with some tweaking...). > > Is it possible to run IPCop as a firewall only? If so, is it feasible to > route VPN traffic through the two firewalls to the IPCop box? > How sever is this for a security hole? The only other option I can see is > to put the VPN server in the DMZ, and allow all traffic from that box > through the internal firewall... another possible security hole.... > > Shawn > > > -----Original Message----- > From: Kevin Anderson [mailto:[EMAIL PROTECTED] > Sent: Friday, October 31, 2003 2:52 PM > To: [EMAIL PROTECTED] > Subject: Re: (clug-talk) VPN > > > Since the other responsed weren't overly detailed, I'll just add that it has > never gone down unexplainably for us in the past year. It's rock solid, and > we do use it Corporately. I've advised we replace the remaining SonicWalls > with it, but they work well too, so obviously replacing something that works > well is pretty low priority. > > Kev. > > > ----- Original Message ----- > From: "Brian Horncastle" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, October 31, 2003 1:49 PM > Subject: (clug-talk) VPN > > > > Hi, > > > > Anyone ever setup Linux as a VPN server? > > > > Regards, > > > > Brian > > > > > >
