Results 1 to 8 of 8

Thread: Firewall & VPN Question

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    22

    Firewall & VPN Question

    Just read from a pretty reliable source that "...Positioning your firewall between an internal and external router provides little additional protection from attacks on either side, but it greatly reduces the amount of traffic the firewall must evaluate...". In the diagram that they provided, it was something like:

    Unknown networks->Untrusted networks->External router->Firewall->Internal router

    This kind of had me scratching my head as I thought it was standard practice that a firewall be placed between an external and internal reasons for the opposite reasons stated, to provide MORE protection from attacks on either side, because then what would be the point if it provides little additional protection?

    On another note, I've designed my network from scratch but since I've never worked with VPN's, I'm not sure where to place them. I thought they were placed on the internal networks but it seems that its supposed to be placed in the DMZ. Just curious as to if that was correct and why.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    With VPNs you just have to open up and forward the proper ports on the routers..depending on the VPN server\client you are using.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    22
    Quote Originally Posted by morganlefay
    With VPNs you just have to open up and forward the proper ports on the routers..depending on the VPN server\client you are using.

    MLF
    So that means VPN's should go in the DMZ? But isnt it bad practice to open up ports into the internal network from the DMZ?

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    The "router in front for security reasons" way doesn't really hold ground anymore IMHO:
    It used to be that firewalls couldn't hold the load of being the edge device; that isn't so true anymore. They also don't provide much added security either. At best they can only be relied on to do basic stateless filtering (reject bogons, etc).

    Now, having a router in front can still be of much use to control your border routing (bgp...), or are just plain required (ISP controled, T1 to ethernet gateway, etc.)

    As for the router behind, well, it's simply that router usually offer a better platform for doing your internal network routing (unless you have a really simple network, ie: flat or few static routes).


    Concerning your VPN placement, the best would be to have it on a seperate interface/segment on your firewall. Otherwise, using private vlans on your dmz switch would be good. Otherwise, just plain in your dmz (more exposure if a dmz host is compromised, source spoofing could get them a way in...), otherwise, using the firewall as the vpn endpoint is relatively safe too...


    Ammo
    Credit travels up, blame travels down -- The Boss

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I guess it all depends on what you are trying to do...and what kind of information you want available to your VPN??

    Strong passwords, proper file and service security\access...and regular monitoring is a must.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Posts
    22
    Does anyone put a VPN in the internal network or does that become a security risk?

    As for the "firewall in front", wouldnt a deep-packet inspection firewall add a lot of security?

    I'm just trying to understand why the edge firewall wouldn't add any security benefits. I mean whats the weakness? Are there ways around it if going through the firewall is the only way into the internal network?

  7. #7
    Shrekkie Reloaded Raiden's Avatar
    Join Date
    Oct 2005
    Posts
    1,115
    It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
    Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...

  8. #8
    Junior Member
    Join Date
    Nov 2005
    Posts
    22
    Quote Originally Posted by Raiden
    It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
    Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...
    Currently messing around with a Cisco PIX

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •