[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] [vpn] VPN tunnel termination????
I currently have 1 dedicated Firewall (FW-1/Nokia) used only for Internet Browsing and a another separate one only for site to site VPN. I have many sites running in a full blown VPN mesh. On my site to site I have a 2 tier level security. We have had no problems so far. 1 platform dedicated just for Routing (Internet Router) and the another platform dedicated for VPN (FW-1/Nokia). An attacker would have to exploit both platforms to compromise the internal network. Here comes my problem. We are currently think in replacing our current setup with a Cisco router based VPN. We want to implement a design that uses a Cisco 1750 using the Firewall add-on and Encryption accelerator card for our remote sites. Theses Cisco's 1750 will then hub into a Cisco 7000 VPN router running Cisco Firewall package and accelerator card. We will have to 2 hubs located in different states which are connected to each other via frame. The tunnels between the 1750 and 7000 router are going to be GRE based with IPSEC because of OSPF. 1 hub is going to be a Primary and the other a backup. By using GRE, OSPF should take care of the failover (I hope) Each router at each location (Hub and remote site) is going to be connected directly to the network. In other words, one connection to the LAN and the other to the Internet. My question is does this compromise my level of security? Since I am only using a 1 tier level design by using a Cisco router to be a VPN, Firewall and a router. Regards, AC -----Original Message----- From: Christopher Gripp [mailto:[email protected]] Sent: Wednesday, October 24, 2001 5:34 PM To: Cardona, Alberto; [email protected]; [email protected] Subject: RE: [vpn] VPN tunnel termination???? 1. Performance. Let firewalls be firewalls, routers be routers, and VPN devices be VPN devices. The caveat there is price and expediency of deployment. I.e. if you already own a Checkpoint firewall it won't be too difficult to start running a VPN to it. Reasons 2, 3, and 4 make this my least favorite option. 2. Layered security. This architecture goes out the door if you use the same firewall box for your VPN. In my world, VPN boxes have firewalling functionality on them but, are not my company's firewalls. Make sense? 3. Availability. I don't like having ALL my critical devices on one box. Having a single firewall to the internet that is also my VPN box is a viable solution for a small business where cost is critical and security is a residual effect. Not for a mission critical Enterprise. 4. Flexibility. (sometimes read as, extra administrative burden!) For an Enterprise class solution my preference, not that I get my way every time, is to have a border firewall with the VPN device behind that and another firewall behind the VPN. If the VPN device has a firewall on it then the border firewall isn't an absolute necessity but, it certainly adds to the difficulty in compromising the network. There are distinct advantages to having a firewall in front of AND behind the VPN. Having it in front of the VPN provides protection from attempts to compromise the VPN device itself from the outside(Internet) and protection from DoS attacks. I can limit the traffic to only IPSec related protocols and thus prevent attempts to telnet, SSH or whatever directly to the VPN device. Having one behind the VPN provides you with the ability to regulate the traffic coming from within the VPN network. I can't do any traffic filtering or protocol based authentication or filtering when the traffic is still encrypted. But, once I have decrypted it, I can run it through another firewall and then have those options. So, if I want to limit a particular group of users to a particular set of protocols or even systems when they are VPNing in then I can do that with the additional firewall. Hope that helps. Christopher Gripp Systems Engineer Axcelerant "To have a right to do a thing is not at all the same as to be right in doing it." -G.K. Chesterton -----Original Message----- From: Cardona, Alberto [mailto:[email protected]] Sent: Wednesday, October 24, 2001 1:06 PM To: [email protected]; '[email protected]' Subject: [vpn] VPN tunnel termination???? Does any anyone know what are the security ramifications if you terminate a VPN tunnel to a router instead of a firewall/router. For example is it safer to do a Check Point/Nokia to Check Point/Nokia or PIX to PIX VPN tunnel OR a router to router based tunnel (ex. Cisco 3640 to Cisco 1750). Thanks AC VPN is sponsored by SecurityFocus.com =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|