Are you in control of the security on both of the endpoints connected
by this VPN. If one endpoint is a business associate and the other
endpoint is a Windows 2000 server on your internal network then the
security of your network is dependant upon the security of your business
associate's network. A good rule of thumb is to never allow a VPN to
terminate on an unprotected host or subnet behind your firewall. A VPN is
basically an encrypted tunnel through your perimeter security. I would
either terminate that VPN on your Raptor firewall where the traffic still
has to go through the Raptor's ACLs or terminate it in a DMZ off of a third
network card on the Raptor. This would still require the traffic using
that VPN to go through the Raptor's ACLs to reach your internal network.
VPNs (or any other type of encryption) provide privacy, authentication,
integrity, or non-repudiation. They do not provide perimeter security or
host protection since they merely encrypt all traffic between hosts or
networks and do not check to see if that traffic is allowed based off of an
ACL. I also would not terminate the VPN on a border device before the
firewall because the traffic would then be in plaintest between the border
device and the firewall providing a good place for a someone to put a
sniffer.
Regards,
Jeffery Gieser
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
