On 12/02/2010 03:09 PM, Paul McNett wrote: > On 12/2/10 12:16 PM, Leland Jackson wrote: >>> No, the perimeter firewall should still control traffic in and out, whether >>> or not it >>>> is over the vpn. >> This is true, but only from the standpoint of computers in the local >> network, of which the vpn connected computer is a part. I'm looking at >> it from that point of view. > I seem to have a unique point of view, judging from the responses from you > and Paul > Hill at least. In my opinion, you can't really run a secure firewall if you > can't > control what is coming in and out of the true local area network. So if your > firewall > can't inspect the VPN traffic, you've effectively drilled a security hole > right > through your firewall.
The security is there; it is just is a little different from firewall like security. When setting up the vpn connection on the router side, the vpn connection is given a name, which is mostly for people; since, the connection name is not used in making the actual connection. Then I can specify using Netgear's Prosafe VPN wizard: This VPN tunnel will connect to the following peers: either "gateway" or "VPN Client" I select VPN Client. What is the Remote Identifier Information: "srxn_remote.com" What is the Local Identifier Information: "srxn_local.com" What is the pre-shared key: _________________________________ (Key Length 8 - 49 Char) Upon clicking "Apply" the IKE and VPN policies are created. The Netgear Prosafe VPN client software must be used to make the vpn connection, (eg an encryption thing I suspect). In order for the remote client to connect to the router, the Netgear Prosafe VPN client entries must mirror the entries applied in the router, including remote and local identifiers and pre-shared key. I suspect that the pre-shared key in addition to being used as a kind of password, is also used as the seed for encryption as well, but I could be wrong. Also the Netgear Prosafe VPN client must have the WAN address of the router, so the client software can find the vpn router. If the VPN connection is between two gateways, then both gateway's WAN address come into play. VPN connections can be viewed in a browser under the Netgear Prosafe VPN software "VPN Connection Status" section. All VPN connections appear by IP address. This reminds me a little of the security of a wireless connection. LOL Regards, LelandJ > I don't think I'd ever set up such a thing, but I acknowledge that there are > probably > lots of such setups in the wild. > > The VPN/Firewall combo I've been using for years is OpenVPN and Shorewall, > where both > are running on the same Linux box acting as perimeter firewall. Shorewall is > really > just a front end to iptables. Anyway, with this combo I can define firewall > rules > that can apply equally well to vpn traffic. > > Paul > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
