[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] VPN vs Firewall - Your Thoughts
It's not an either/or proposition. Firewalls and VPNs meet different needs, although they are sometimes implemented on the same box. The version of this question that gets asked (frequently, by the way -- it's an FAQ) in VPN fora is: Where should the inbound terminus of my VPN tunnels be, relative to my firewall? The four primary choices are: "in front of it", "behind it", "in parallel with it", or "on it" -- and there are Pro and Con arguments for each of these. But nobody ever says "instead of it"! The "best" answer (my reading of the consensus) seems to be that the VPNs should terminate at a third (or fourth, or whatever) interface on the firewall, so that (like a third-interface "DMZ") all traffic between the VPN clients and the trusted network (AND the untrusted Internet) must transit the firewall, but there is no opporunity for an outsider to sniff or spoof VPN traffic. Dave Gillett -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Barber, Jeff @ CKE Sent: Tuesday, May 07, 2002 10:53 AM To: [email protected] Subject: [FW-1] VPN vs Firewall - Your Thoughts Hey All I am having some mixed thoughts on the difference between a VPN and a Firewall. A VPN allows for encrypted traffic to and from 2 or more points. A Firewall protects networks by allowing or denying packets. If I have a CISCO to CISCO VPN that does NOT go through a Firewall before entering the internal network, am I secure? Some will argue that VPN devices such as CISCO can act as firewalls by adding ACL's. My stance is that anything entering into the internal network should go thru my CHECKPOINT Firewalls. Looking for your professional thoughts and opinions. J. Barber - ccse,scsa Information TechnologyWhen I see the sea once more, would the sea have seen or not seen me? ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|