I play the game a little on the paranoid side, but
if it was my network I would have the inbound encrypted traffic pass through a
filtering router (acls), then a stateful filtering firewall (such as
checkpoint). These steps will help ensure that only specific
sites are able to establish VPN connections using specific protocols. Then
the VPN box will verify to the extent that it can that this is a valid
connection using established protocols and procedures. Then, the
UNencrypted traffic would go back through the firewall (on a different interface
if the resources and money are available) to be verified for type of traffic,
content, etc.
The more layers of protection you have, the more
difficult it is for someone to bypass your security and do
whatever....
Some questions you will have to ask yourself
-- how much risk is associated with that site's traffic? is the site
a trusted site? are there vendors or third parties who routinely use that
site to gain access to the "network"? for what purpose do they need to
traverse your network? etc., etc., etc. This will tell you how much money
and time you should be willing to spend to secure this "stuff" (that is,
above and beyond what you may be able to convince management to give up).
There are other options, like policy based routing and such which can helpsecure
the network without using the firewall, but in my opinion they should be used in
conjunction, not instead of....
----- Original Message -----
Sent: Tuesday, May 07, 2002 1:53 PM
Subject: [FW-1] VPN vs Firewall - Your
Thoughts
Hey All
I am having some mixed thoughts on the difference
between a VPN and a Firewall. A VPN allows
for encrypted traffic to and from 2 or more points. A Firewall protects
networks by allowing or denying packets.
If I have a CISCO to CISCO VPN that does NOT go
through a Firewall before entering the internal network, am I secure?
Some will argue that VPN devices such as CISCO can
act as firewalls by adding ACL's. My stance is that anything entering into the
internal network should go thru my CHECKPOINT Firewalls.
Looking for your professional thoughts and
opinions.
J. Barber - ccse,scsa
Information Technology
When I see the sea once more,
would the sea have seen or not seen
me?
|