You can have a VPN between a-c, only thing is if the traffic to c is going
through firewall B, then you need to allow encrypted traffic ( any) between
a to c in firewall B
-Sanjeev Kumar
Network Consultant
----- Original Message -----
From: "Michael Batchelder" <[EMAIL PROTECTED]>
To: "Ivan Fox" <[EMAIL PROTECTED]>
Cc: "Firewall-Wizards@Nfr. Net" <[EMAIL PROTECTED]>;
"Firewalls@Lists. Gnac. Net" <[EMAIL PROTECTED]>; "Firewall-1"
<[EMAIL PROTECTED]>
Sent: Wednesday, February 14, 2001 7:07 AM
Subject: Re: [FW1] Can I setup a VPN this way?
> The general answer is that VLAN's aren't security tools, while VPN's are
> (flawed tho they may be, in their current implementations). It's
> particularly bad if you vlan (yep, it's a verb, now :) in such a way as
> to have vlans that sit on both sides of a firewall, so that if a vlan
> can be jumped, a firewall can be jumped. For example, if you're vlaning
> for some type of traffic to go from fw A to fw C, but vlaning other
> traffic so that it must be filtered by fw B. Then, you have to consider
> the security risk that something might happen that causes traffic to
> bypass B by using the A to C vlan. Exploits to jump vlans do exist for
> Cisco and other gear.
>
> And with a L3 switch, if the vlaning is done purely based on L3 stuff
> (tcp/upd port number, transport protocol), that's almost trivial for a
> malicious individual to transport naughty traffic under guise of
> something legit. But really, anything you base your vlans on isn't
> secure, even fixing mac address to switch port.
>
> The short answer is "no". If you have traffic that needs privacy, use
> encryption. The VPN setups discussed aren't difficult to config in
> Firewall-1.
>
> HTH,
> Michael
>
> Ivan Fox wrote:
> >
> > Michael;
> >
> > If these sites use L3 switches, would VLAN provide the same level of
> > security as VPN?
> >
> > Thanks,
> >
> > ----- Original Message -----
> > From: "Michael Batchelder" <[EMAIL PROTECTED]>
> > To: "Ivan Fox" <[EMAIL PROTECTED]>
> > Cc: "Firewall-Wizards@Nfr. Net" <[EMAIL PROTECTED]>;
> > "Firewalls@Lists. Gnac. Net" <[EMAIL PROTECTED]>; "Firewall-1"
> > <[EMAIL PROTECTED]>
> > Sent: Tuesday, February 13, 2001 7:18 PM
> > Subject: Re: [FW1] Can I setup a VPN this way?
> >
> > > A clarification would be good, here. Are you trying to send VPN
traffic
> > > from A, thru B, to C and back, or do you want to send traffic from A
to
> > > both B and C? Either one is possible. The latter scenario is the
same
> > > as the former scenario with the addition of an A->B VPN tunnel. So
you
> > > just need to know, at most:
> > >
> > > 1) how to set up vpn tunnels between two firewalls
> > > 2) how to pass vpn tunnels through a firewall
> > >
> > > I'll assume you want to do IPSec vpn, and not FWZ...
> > >
> > > For 1, consult the docs and Checkpoint's web site, or
www.phoneboy.com.
> > > There should be enough info and examples to do that. For 2, to pass
> > > IPSec through a fw, you need a rule on B to permit the appropriate IP
> > > *protocol*, AH or ESP or both (probably just ESP). Both protocols are
> > > defined service objects, and are in the service group "IPSec". You
also
> > > need to permit IKE if you're using it, which is UDP, port 500. If
> > > you're doing NAT at B, this gets a whole lot hairier...
> > >
> > > Michael
> > >
> > > Ivan Fox wrote:
> > > >
> > > > Let say three are 3 sites in serial, i.e., A --> B --> C. Each site
has
> > its
> > > > own subnet and Check Point VPN-1. Can I setup a continuous VPN
using
> > Check
> > > > Point VPN-1 starting from A and ending at C.
> > > >
> > > > Any pointers are appreciated.
> > > >
> > > > Ivan
> > > >
> > > >
> >
============================================================================
> > ====
> > > > To unsubscribe from this mailing list, please see the
instructions
> > at
> > > > http://www.checkpoint.com/services/mailing.html
> > > >
> >
============================================================================
> > ====
> > >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
