On 12/2/10 12:16 PM, Leland Jackson wrote: >> No, the perimeter firewall should still control traffic in and out, whether >> or not it >> > is over the vpn. > This is true, but only from the standpoint of computers in the local > network, of which the vpn connected computer is a part. I'm looking at > it from that point of view.
I seem to have a unique point of view, judging from the responses from you and Paul Hill at least. In my opinion, you can't really run a secure firewall if you can't control what is coming in and out of the true local area network. So if your firewall can't inspect the VPN traffic, you've effectively drilled a security hole right through your firewall. I don't think I'd ever set up such a thing, but I acknowledge that there are probably lots of such setups in the wild. The VPN/Firewall combo I've been using for years is OpenVPN and Shorewall, where both are running on the same Linux box acting as perimeter firewall. Shorewall is really just a front end to iptables. Anyway, with this combo I can define firewall rules that can apply equally well to vpn traffic. Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
