[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN vs Firewall - Your Thoughts
Title: Message A VPN
that's worth its salt should include some thought (and configuration) as to what
specific traffic is actually allowed through the tunnel, not to mention where
it's coming from. I find that people tend to be rather easygoing about
their VPN setups-- this isn't a wise approach. VPN tunnels should be very
precise and specific, as precise and specific as possible or
practical.
If
your Cisco <-> Cisco VPN doesn't include this kind of forethought, then
you are at least in theory asking for trouble from unauthorized parties at the
other end of the tunnel.
I tend
to prefer having the firewall and VPN gateway into a single box, and more to the
point, a single product. It eliminates asymmetric routing issues
(topologies where the firewall is bypassed completely) and it eliminates having
two different devices involved in traffic handling (topologies where the VPN
gateway is either in front of or behind the firewall).
When
you have two devices involved it just makes a whole lot of things more
complicated and makes it twice as likely that you'll encounter any given
problem, whether it be a config snafu that destroys connectivity, or a config
oversight that opens up a nice little hole into your supposed-to-be-secured
network.
And if
you're stuck with two devices... yuck. You could put the VPN box inside
the firewall and only allow IKE traffic to it, but then you can't consolidate
your access control back onto the firewall. If you put the VPN box outside
the firewall, it can't be protected by the firewall. This may be
academic if the VPN box only speaks IPSec, but I don't like the idea of an
unprotected gateway into my private LAN.
Just
one guy's opinion.
|