NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] VPN vs Firewall - Your Thoughts



Title: RE: [FW-1] VPN vs Firewall - Your Thoughts

That’s an interesting design, Jeff.  But let me ask this: Why have the firewall process the same traffic twice (in both its encrypted and decrypted format)?  If your firewall is - dare I say - compromised, then your VPN traffic would be viewable to the hacker in its unencrypted format, without having to break into the VPN path.  You see, as one of the earlier responses mentioned, your systems should complement each other, not negate their effect.  Fine, so you wish to improve performance of your firewall by removing the task of processing VPN traffic.  Then simply put your VPN gateway behind your firewall and have this conduct the encryption/decryption process and then pass on the traffic directly to the internal/external network.  You could always use a separate firewall device for your internal traffic if you think this is necessary, but point is, the wily hacker must now break into TWO SEPARATE systems to get into either your internal network or your VPN traffic (unless he already has your keys!)

 

-CJ

 

 

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Barber, Jeff @ CKE
Sent: Wednesday, May 08, 2002 12:32 PM
To: [email protected]
Subject: Re: [FW-1] VPN vs Firewall - Your Thoughts

 

I greatly appreciate all the responses to my question. You guys have cleared this up for me and now I am able to explain the pros and cons for placing the VPN outside or behind the firewall to my management.

From a network design perspective, I think having the VPN IPSEC traffic come thru the firewall to a CISCO VPN device, then the unencrypted CISCO traffic will be forwarded back to the firewall for filtering on a different interface. The firewall will then pass the permitted traffic to the internal network.

My choice in doing it this way with the Cisco's is to cut down on the encrypt/decrypt processing of the firewall.

Thanks Again
-J

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Barber,
Jeff @ CKE
Sent: Tuesday, May 07, 2002 10:53 AM
To: [email protected]
Subject: [FW-1] VPN vs Firewall - Your Thoughts

 

Hey All
I am having some mixed thoughts on the difference between a VPN and a
Firewall.
A VPN allows for encrypted traffic to and from 2 or more points. A Firewall
protects networks by allowing or denying packets.
If I have a CISCO to CISCO VPN that does NOT go through a Firewall before
entering the internal network, am I secure?
Some will argue that VPN devices such as CISCO can act as firewalls by
adding ACL's. My stance is that anything entering into the internal network
should go thru my CHECKPOINT Firewalls.
Looking for your professional thoughts and opinions.
J. Barber  - ccse,scsa
Information Technology

When I see the sea once more,
would the sea have seen or not seen me?

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.