[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Can I setup a VPN this way?
Hi Ivan, If I understand the question correctly... VLAN's are not a security mechanism but simply a way to have multiple logical networks on one physical device (in their most common use). They introduce _no_ security into the environment. You could really say that they actually decrease security when used instead of traditional routers (or firewalls) due to problems like VLAN hopping; going from one VLAN to another using layer-2 functionality and bypassing the routing engine completely. While you could setup routing between three layer-3 switches like in your drawing, and I suppose you could put ACL's on the routing engine in the switches so when routing from one VLAN (switch in this case) to another there would be some form of access control, you would completely lose your ability to do any form of encryption, hence your objective in setting up the VPN in the first place... I assume. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education VoiceE-mail [email protected] Web http://www.kde.state.ky.us/ > -----Original Message----- > From: Ivan Fox [mailto:[email protected]] > Sent: Tuesday, February 13, 2001 7:49 PM > To: Michael Batchelder > Cc: Firewall-Wizards@Nfr. Net; Firewalls@Lists. Gnac. Net; Firewall-1 > Subject: Re: [FW1] Can I setup a VPN this way? > > > > Michael; > > If these sites use L3 switches, would VLAN provide the same level of > security as VPN? > > Thanks, > > ----- Original Message ----- > From: "Michael Batchelder" <[email protected]> > To: "Ivan Fox" <[email protected]> > Cc: "Firewall-Wizards@Nfr. Net" <[email protected]>; > "Firewalls@Lists. Gnac. Net" <[email protected]>; "Firewall-1" > <[email protected]> > Sent: Tuesday, February 13, 2001 7:18 PM > Subject: Re: [FW1] Can I setup a VPN this way? > > > > A clarification would be good, here. Are you trying to > send VPN traffic > > from A, thru B, to C and back, or do you want to send > traffic from A to > > both B and C? Either one is possible. The latter scenario > is the same > > as the former scenario with the addition of an A->B VPN > tunnel. So you > > just need to know, at most: > > > > 1) how to set up vpn tunnels between two firewalls > > 2) how to pass vpn tunnels through a firewall > > > > I'll assume you want to do IPSec vpn, and not FWZ... > > > > For 1, consult the docs and Checkpoint's web site, or www.phoneboy.com. > There should be enough info and examples to do that. For 2, to pass > IPSec through a fw, you need a rule on B to permit the appropriate IP > *protocol*, AH or ESP or both (probably just ESP). Both protocols are > defined service objects, and are in the service group "IPSec". You also > need to permit IKE if you're using it, which is UDP, port 500. If > you're doing NAT at B, this gets a whole lot hairier... > > Michael > > Ivan Fox wrote: > > > > Let say three are 3 sites in serial, i.e., A --> B --> C. Each site has its > > own subnet and Check Point VPN-1. Can I setup a continuous VPN using Check > > Point VPN-1 starting from A and ending at C. > > > > Any pointers are appreciated. > > > > Ivan > > > > ============================================================================ ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ============================================================================ ==== > ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|