"Randall, Mark" wrote:
>
> The client has an architectural layout in mind, where the Compatible Systems
> VPN boxes will sit next to FW-1, using a completely separate, parallel path.
Mark,
This sounds .... mildly odd to me. I do NOT know of anyone
doing it this way.
Fine, they don't want to use FW-1's VPN, that's a matter of
taste, no quarrel there. They might be unhappy with the
admin capabilities or worried about the UDP port 0 bug,
whatever.
The oddity is, as you pointed out, the parallell path.
I imagine that the company that they learned of this from
had problems with passing the VPN traffic through the
firewall and therefore ended up with the parallell path.
I can't see FW-1 having these problems though.
This sounds like increasing the risk to me, since we don't
know??? what kinds of weaknesses the VPN box might have.
Sure, it won't let anything non-encrypted through.
What do we know about the integrity of the VPN box itself?
Buffer overruns on some unknown port? (I've never heard
of that make so I wouldn't know).
My recommended approach would be to stick the VPN box in
a separate DMZ, only let traffic to it from a restricted
span (the remote site), and THEN also control what plaintext
traffic may pass from the VPN box to the internal
network.
Here, you'd have to add routes in the firewall to use
the VPN box as a gateway for getting to the remote site.
On a side note: This solution won't work at all
with roaming clients. Here, you'd have to let the VPN box
see all traffic regardless of where it's heading, either
by sticking it inside or outside the firewall (or having
it built into the firewall, which is by far the easiest
way). I'd setup an inline DMZ of sorts, maybe with a packet
filter at the border, and place the VPN box inside this
inline DMZ. This way, the firewall still gets to determine
what traffic may flow through the VPN to the internal
network. Granted, the VPN box itself won't be as well
protected, but you can't have it all in goofy situations
as this.
Regards,
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
