>I've got a client that has two sites, each with a firewall installed
>(CheckPoint FW-1) and they want to implement a VPN between the sites. ...
>...<snip>...
Okay, it sounds like they want to bridge the two LANS. It is within
one company, so they probably can deal with a Full Trust Relationship
between the sites.
>...<snip>...
>I don't like the idea of bypassing the firewall at all...
But that's probably what they *want*. They seem to want to bridge
the two sites.
Before VPNs came along, you would have needed a private leased
line between the two sites.
>I tried to
>explain that a pathway around the firewall sort of defeats the whole purpose
>of having the firewall in the first place, but the client insists this is
>the desired configuration. They feel safe in the security provided on the
>theory that the VPN box will not allow anything but authenticated VPN users
>and remote sites anyway, so it doesn't really pose a security risk.
The traffic over the Internet will probably be an encrypted IPSEC
stream of data. The VPN boxes I am familiar with (RedCreek) will only
talk to another IPSEC VPN box and will syslog any packets that are not
coming from an IPSEC VPN data stream.
You can also add router packet filters to restrict traffic.
I think a well designed VPN box is less likely to be mis-configured
than a general purpose firewall. Yes, it is another device that you
have to configure and managee. But, what will going through the firewall
buy you ? Maybe more logging and packet filtering, but ultimately,
you will be tunnelling the data and bypassing the firewall in order to
get the encrypted data stream to the VPN box.
>Have any of you setup such a configuration before?
I believe RedCreek (www.redcreek.com) describes it as one of their
sample configurations.
- Randy
-
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
