Firewall & VPN Question

Printable View

January 29th, 2007, 08:08 PM
g3neration

Firewall & VPN Question

Just read from a pretty reliable source that "...Positioning your firewall between an internal and external router provides little additional protection from attacks on either side, but it greatly reduces the amount of traffic the firewall must evaluate...". In the diagram that they provided, it was something like:

Unknown networks->Untrusted networks->External router->Firewall->Internal router

This kind of had me scratching my head as I thought it was standard practice that a firewall be placed between an external and internal reasons for the opposite reasons stated, to provide MORE protection from attacks on either side, because then what would be the point if it provides little additional protection?

On another note, I've designed my network from scratch but since I've never worked with VPN's, I'm not sure where to place them. I thought they were placed on the internal networks but it seems that its supposed to be placed in the DMZ. Just curious as to if that was correct and why.
January 29th, 2007, 08:27 PM
morganlefay

With VPNs you just have to open up and forward the proper ports on the routers..depending on the VPN server\client you are using.

MLF
January 29th, 2007, 09:22 PM
g3neration

Quote:

Originally Posted by morganlefay

With VPNs you just have to open up and forward the proper ports on the routers..depending on the VPN server\client you are using.

MLF

So that means VPN's should go in the DMZ? But isnt it bad practice to open up ports into the internal network from the DMZ?
January 30th, 2007, 03:18 AM
ammo

The "router in front for security reasons" way doesn't really hold ground anymore IMHO:
It used to be that firewalls couldn't hold the load of being the edge device; that isn't so true anymore. They also don't provide much added security either. At best they can only be relied on to do basic stateless filtering (reject bogons, etc).

Now, having a router in front can still be of much use to control your border routing (bgp...), or are just plain required (ISP controled, T1 to ethernet gateway, etc.)

As for the router behind, well, it's simply that router usually offer a better platform for doing your internal network routing (unless you have a really simple network, ie: flat or few static routes).

Concerning your VPN placement, the best would be to have it on a seperate interface/segment on your firewall. Otherwise, using private vlans on your dmz switch would be good. Otherwise, just plain in your dmz (more exposure if a dmz host is compromised, source spoofing could get them a way in...), otherwise, using the firewall as the vpn endpoint is relatively safe too...

Ammo
January 30th, 2007, 03:10 PM
morganlefay

I guess it all depends on what you are trying to do...and what kind of information you want available to your VPN??

Strong passwords, proper file and service security\access...and regular monitoring is a must.

MLF
January 30th, 2007, 11:33 PM
g3neration

Does anyone put a VPN in the internal network or does that become a security risk?

As for the "firewall in front", wouldnt a deep-packet inspection firewall add a lot of security?

I'm just trying to understand why the edge firewall wouldn't add any security benefits. I mean whats the weakness? Are there ways around it if going through the firewall is the only way into the internal network?
January 31st, 2007, 11:25 AM
Raiden

It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...
January 31st, 2007, 10:56 PM
g3neration

Quote:

Originally Posted by Raiden

It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...

Currently messing around with a Cisco PIX