Hemang,
The most common configurations we see, especially for business-to-business applications is to place the VPN appliance on the outside of the firewall. This allows you to control and log access through it. One of the issues with VPNs coming into firewalls is that the connections get bridged and aren't subject to the full rule set of the firewall.
The second most common configuration seems to be placing the box in the DMZ and opening ports on the external firewall (usually a router with filtering) to allow connections to it.
In either instance the VPN is outside the firewall that protects your corporate resources. Another alternative is to create a separate DMZ for just your VPN devices.
The object is to maintain monitoring and control over the connection and the only pratical way to do that is to route the traffic through a control point like a firewall.
-- Bill Stackpole, CISSP
| "Hemang Patel" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 06/22/2001 12:28 PM
|
To: Firewalls_Digest <[EMAIL PROTECTED]> cc: Subject: site to site vpn. |
Hi;
I have just finished configuring a site-to-site VPN using IKE with 2
checkpoint fw-1.
In the future we may be doing more VPN to other sites.
We may be installing a separate firewall/VPN appliance in the future to
offload VPN traffic to it.
I was wondering what is the best location to insert this second
firewall?(e.g. outside the existing firewall between
the internet router and firewall or put it on a separate DMZ off the
existing firewall, etc. And what are the pros and cons of
putting the VPN firewall in any location>
Any insight on this will be greatly appreciated
TIA
HP
