Hi, Volker Tanger wrote:
> If I understand correctly, your question was how to choose between: > 1.) VPN endpoint == firewall > 2.) VPN endpoint == separate VPN box(es) in DMZ > In the latter case you might get loopholes if you have multiple VPN > boxes (or one box handling multiple VPNs) in that DMZ. That is: someone > coming out of VPN#1 going (uncontrolled) back into VPN#2. These kind of > holes are easy to prevent in setup 1.) Why should you place different VPN endpoints with (probably) different security demands in the same segment? If it's different user groups/customers/whatever => different segments. If it's one box it's a question of routing/access lists/transforms. Getting from one VPN into another usually requires a particular SA for both endpoints => you can handle/prohibit this. As for the first scenario... a firewall is a firewall is a firewall... a system implementing your sec policy by controlling traffic. It's _not_ a crypto device. Don't mix up duties here. I'm pretty sure we'll see mixed-up feature-blown so-called firewall products falling down due to incorrect handling of IPsec headers/poorly implemented crypto routines etc. Remember all the FW-1's problems in their bad year 2000 [http://www.monkey.org/~dugsong/talks/blackhat.pdf]? Most of them were based on their proprietary crypto stuff. Regards, Enno Rey PGP 585F B0B9 F429 35EF 73A4 BC33 8F4B A629 C181 2EF1 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
