I support the Contivity Extranet switch from Nortel, the configuration you describe is a very common one in the VPN appliance world. The other options I have seen are:
1) VPN box in parallel with your firewall behind the default gateway.
2) VPN box in parallel with your firewall with a separate WAN to the ISP
3) VPN box behind your firewall
4) VPN box in your DMZ with trusted interface connected to third leg of the firewall
5) VPN box acting as your firewall.
Each of these has tradeoffs, the one (IMHO) that makes the least sense is number 3.
Regards
Robert Dolliver
Educational Services
Nortel Networks
1 Federal St.
Billerica Ma
PGP users my key server is located at:
pgpkeys.mit.edu
my key hash is:
71DD 037B AE30 C046 9D3B 795B D9CB 248D 44F0 1895
-----Original Message-----
From: Randall, Mark [SMTP:[EMAIL PROTECTED]]
Sent: Saturday, November 27, 1999 8:13 PM
To: 'Randy Witlicki'; Randall, Mark
Cc: [EMAIL PROTECTED]
Subject: RE: Parallel pathways
> The traffic over the Internet will probably be an encrypted IPSEC
> stream of data. The VPN boxes I am familiar with (RedCreek) will
> only talk to another IPSEC VPN box and will syslog any packets
> that are not coming from an IPSEC VPN data stream.
Well, that's all fine and dandy...but they want roaming users to be able to
connect into the corporate network as well. They will be using a free IPSec
client on the roaming laptops. So, I suppose it will come down to the type
of authorization they intend to use in order to keep any stranger out on the
net with an IPSec client from connecting or attempting to connect.
> I believe RedCreek (www.redcreek.com) describes it as one of their
> sample configurations.
Okay, thanks... I'll check it out. Yours is the first response I've
received that's heard of such a configuration. I'm still very skeptical,
personally.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
