-
January 29th, 2007, 08:08 PM
#1
Junior Member
Firewall & VPN Question
Just read from a pretty reliable source that "...Positioning your firewall between an internal and external router provides little additional protection from attacks on either side, but it greatly reduces the amount of traffic the firewall must evaluate...". In the diagram that they provided, it was something like:
Unknown networks->Untrusted networks->External router->Firewall->Internal router
This kind of had me scratching my head as I thought it was standard practice that a firewall be placed between an external and internal reasons for the opposite reasons stated, to provide MORE protection from attacks on either side, because then what would be the point if it provides little additional protection?
On another note, I've designed my network from scratch but since I've never worked with VPN's, I'm not sure where to place them. I thought they were placed on the internal networks but it seems that its supposed to be placed in the DMZ. Just curious as to if that was correct and why.
-
January 29th, 2007, 08:27 PM
#2
With VPNs you just have to open up and forward the proper ports on the routers..depending on the VPN server\client you are using.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 29th, 2007, 09:22 PM
#3
Junior Member
Originally Posted by morganlefay
With VPNs you just have to open up and forward the proper ports on the routers..depending on the VPN server\client you are using.
MLF
So that means VPN's should go in the DMZ? But isnt it bad practice to open up ports into the internal network from the DMZ?
-
January 30th, 2007, 03:18 AM
#4
The "router in front for security reasons" way doesn't really hold ground anymore IMHO:
It used to be that firewalls couldn't hold the load of being the edge device; that isn't so true anymore. They also don't provide much added security either. At best they can only be relied on to do basic stateless filtering (reject bogons, etc).
Now, having a router in front can still be of much use to control your border routing (bgp...), or are just plain required (ISP controled, T1 to ethernet gateway, etc.)
As for the router behind, well, it's simply that router usually offer a better platform for doing your internal network routing (unless you have a really simple network, ie: flat or few static routes).
Concerning your VPN placement, the best would be to have it on a seperate interface/segment on your firewall. Otherwise, using private vlans on your dmz switch would be good. Otherwise, just plain in your dmz (more exposure if a dmz host is compromised, source spoofing could get them a way in...), otherwise, using the firewall as the vpn endpoint is relatively safe too...
Ammo
Credit travels up, blame travels down -- The Boss
-
January 30th, 2007, 03:10 PM
#5
I guess it all depends on what you are trying to do...and what kind of information you want available to your VPN??
Strong passwords, proper file and service security\access...and regular monitoring is a must.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 30th, 2007, 11:33 PM
#6
Junior Member
Does anyone put a VPN in the internal network or does that become a security risk?
As for the "firewall in front", wouldnt a deep-packet inspection firewall add a lot of security?
I'm just trying to understand why the edge firewall wouldn't add any security benefits. I mean whats the weakness? Are there ways around it if going through the firewall is the only way into the internal network?
-
January 31st, 2007, 11:25 AM
#7
It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...
-
January 31st, 2007, 10:56 PM
#8
Junior Member
Originally Posted by Raiden
It merely depends which firewall you would have. Most builtin firewalls are coupled with an NAT overload, so that's basically only internal-to-external traffic to be allowed. If yo uwould have a decent firewall, like a netscreen or a checkpoint or pix then it would depend on what traffic you allow. I don't see any problems in having a firewall in this setup you propose, although an IDS is preferred since alot of traffic is tunneled these days.
Concerning the VPN, I would terminate them in the untrusted side of the firewall and then allow traffic from the vpn to the trusted side through rules or access-lists. ANyway it really depends what firewall you have ...
Currently messing around with a Cisco PIX
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|