Home page logo

basics logo Security Basics mailing list archives

RE: Vpn concentrator - health care client
From: Shawn Wall <sjwall () shaw ca>
Date: Fri, 10 Dec 2004 14:31:01 -0700

Typically the VPN Concentrator is deployed in parallel with a firewall.
Opening ports in your firewall should be avoided when possible. If you are
going to use the concentrator anyway, deploy it outside the firewall. 

Alternatively, you could use the 501 to host a VPN. Remote users can
establish a VPN connection and conncet to the web app. The issue with this
is that the remote users will require the Cisco VPN client. Also is the
trust in remote clients, i.e. Do they have antivirus, usage policies, etc.
The VPN Concentrator overcomes those issues since it creates a clientless
SSL VPN and does not expose the internal network.


-----Original Message-----
From: Kris Wingard [mailto:kwingard () synergisticusa com] 
Sent: Friday, December 10, 2004 8:01 AM
To: security-basics () securityfocus com
Subject: Vpn concentrator - health care client

We have a health care client who is looking into a VPN solution.  They need
to allow up to 500 different users to come in over a VPN to run a web
application, though will probably never have more than 50 concurrent
connections.  They only have about 30 users at the main office who get out
to the internet, etc.  We were considering recommending a PIX 501 to secure
the connection and a VPN 3005 concentrator to terminate the VPN connections.
I would prefer to put in a PIX 515 so we could put the concentrator in a
DMZ, but they are very price sensitive and they don't really need a 515 at
all.  My question is, is it ok (being that they are
healthcare) to simply put the concentrator behind the PIX 501 and just
forward the VPN traffic in to it?  Any insight would be appreciated.

 Kris Wingard
  Network Engineer
  Synergistic Networks, Inc.  
  7 South Main Street
  Suite 217
  Wilkes-Barre, PA  18701
  Phone: 570.408.9888
  Fax: 570.408.9889
  Email:  kwingard () synergisticusa com
  Web: www.synergisticusa.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]