G'day, I don't like the solution that loops the VPN traffic through the firewall twice. I can't see any real security gain, and there is a big complexity loss. If you were to use NAT, as bob suggested, then it's even worse, because you have all the VPN / NAT issues. Yes, the Cisco concentrators can use NAT-transparent mode, but that's an extra encapsulation, and should only be used when necessary.
The "best practice" way to do this is as Brian described, where the outside of the VPN device is directly exposed to the Internet, but the inside connects to a separate interface of a firewall, to allow for filtering. It's best to have this as a non-shared interface, because that protects your DMZ against hostile VPN users. There are some obvious security problems with all of this - that's because a VPN is involved. We had a big run-around about VPN stuff on this list a while ago, and Paul Robertson set down some of _his_ views in an article[1]. Basically, having secure VPNs relies a lot on strong authentication, but (more to the point) it extends your trust boundaries out to a lot of hardware / software / environment situations that people may not be comfortable with, if they spend a while thinking about it. [1] http://www.infosecuritymag.com/articles/may01/columns_tech_talk.shtml -- Ben Nagy Security Guy > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of bob bobing > Sent: Wednesday, October 17, 2001 10:21 AM > To: Brian Ford [My summary - Brian says the best way to do it is to bring the internal NIC of the concentrator into the firewall DMZ. Bob thinks that you could also run the traffic destined for the outside NIC through the firewall first, using NAT. His diagram: outside | / Outside vpn nic. (dmz1) firewall | \ Inside vpn nic. (dmz2) Inside ] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
