Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Architecture for connecting multiple sites via VPN

To: Joel Turoff <[email protected]>
Subject: Re: [FW1] Architecture for connecting multiple sites via VPN
From: Peter Lukas <[email protected]>
Date: Fri, 9 Feb 2001 09:45:51 -0600 (CST)
Cc: [email protected]
In-reply-to: <[email protected]>
Sender: [email protected]

A decent practice would be to construct a traditional DMZ (Cheswick-style,
3 legged firewall) within which you terminate VPN appliances.

>From a management perspective, you can maintain that the endpoint be
"ANY" and maintain policy and access control on the DMZ interface of your
gateway firewall device.  THis prevents the scalability nightmare in
managing multiple endpoint VPN devices.

A security risk is introduced in this architectued because if multiple
endpoints exist in the DMZ, unauthorized access back to the remote site is
possibile from within the DMZ.  You will need to be certain that your peer
partners closely maintain acceptable security policies on their VPN
interface.

You may be able to prevent unauthorized routing in the DMZ with policy
routing and/or "Private VLANs" (if they even work).

>From what I gather from your message, this should not be an issue for you.

The beneffits in this design are simple: you distribute the VPN load
across independent systems.  Because maintenance of access control on the
VPN is left to the peer partner, you may more effectively scale the
service.  You also maintain a single point of entry for your peer partners
and can more efficiently maintain policy there.

If you maintain the peer partner firewall device, management may be more
difficult.  If your users understand the static nature of a security
policy, you may be able to more effectively scale the management of those
devices as well.

Peter Lukas

On Thu, 8 Feb 2001, Joel Turoff wrote:

> 
> Greetings!
> 
> I am wondering what the best architecture is to connect multiple sites
> together with a VPN.
> 
> I have four locations, and each needs to have a VPN into every other site.
> I know that I can certainly setup a VPN between every firewall, but this
> loads down the rule base and isn't scalable.  Whenever I add another site,
> there will be numerous VPN's to configure.
> 
> Is there some way to create a central hub site and link all the sites in
> this manner?   Traffic would travel to the hub encrypted, then there would
> be a short unencrypted hop to the next firewall, where it would then be
> encrypted until reaching the destination network.
> 
> Is this sort of split-tunnel VPN possible with Checkpoint 4.1?  What would
> be the mechanism for routing the traffic at the hub between firewalls?  Is
> it as simple as adding a few static routes on the firewalls?
> 
> Many thanks for any ideas or suggestions on where to find more information
> about this.
> 
> Joel
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Architecture for connecting multiple sites via VPN
  - From: Joel Turoff <[email protected]>

Prev by Date: [FW1] Horrible NetBIOS performance over VPN
Next by Date: Re: [FW1] NT Mgmt -> Nokia 650 : The system cannot find the file specified?
Previous by thread: [FW1] Architecture for connecting multiple sites via VPN
Next by thread: RE: [FW1] Architecture for connecting multiple sites via VPN
Index(es):
- Date
- Thread