That’s an
interesting design, Jeff. But let
me ask this: Why have the firewall process the same traffic twice (in both its
encrypted and decrypted format)? If
your firewall is - dare I say - compromised, then your VPN traffic would be
viewable to the hacker in its unencrypted format, without having to break into the
VPN path. You see, as one of the
earlier responses mentioned, your systems should complement each other, not
negate their effect. Fine, so you
wish to improve performance of your firewall by removing the task of processing
VPN traffic. Then simply put your
VPN gateway behind your firewall and have this conduct the
encryption/decryption process and then pass on the traffic directly to the
internal/external network. You
could always use a separate firewall device for your internal traffic if you
think this is necessary, but point is, the wily hacker must now break into TWO
SEPARATE systems to get into either your internal network or your VPN traffic
(unless he already has your keys!)
-CJ
-----Original
Message-----
From: Mailing list for discussion
of Firewall-1 [mailto:[email protected]]On Behalf Of Barber, Jeff @ CKE
Sent: Wednesday, May 08, 2002
12:32 PM
To:
[email protected]
Subject: Re: [FW-1] VPN vs
Firewall - Your Thoughts
I greatly appreciate all the responses to
my question. You guys have cleared this up for me and now I am able to explain
the pros and cons for placing the VPN outside or behind the firewall to my
management.
From a network design perspective, I think
having the VPN IPSEC traffic come thru the firewall to a CISCO VPN device, then
the unencrypted CISCO traffic will be forwarded back to the firewall for
filtering on a different interface. The firewall will then pass the permitted
traffic to the internal network.
My choice in doing it this way with the
Cisco's is to cut down on the encrypt/decrypt processing of the firewall.
Thanks Again
-J
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On
Behalf Of Barber,
Jeff @ CKE
Sent: Tuesday, May 07, 2002 10:53 AM
To: [email protected]
Subject: [FW-1] VPN vs Firewall - Your Thoughts
Hey All
I am having some mixed thoughts on the difference between a VPN
and a
Firewall.
A VPN allows for encrypted traffic to and from 2 or more points. A
Firewall
protects networks by allowing or denying packets.
If I have a CISCO to CISCO VPN that does NOT go through a Firewall
before
entering the internal network, am I secure?
Some will argue that VPN devices such as CISCO can act as
firewalls by
adding ACL's. My stance is that anything entering into the
internal network
should go thru my CHECKPOINT Firewalls.
Looking for your professional thoughts and opinions.
J. Barber - ccse,scsa
Information Technology
When I see the sea once more,
would the sea have seen or not seen me?
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================