Home page logo
/

basics logo Security Basics mailing list archives

RE: Vpn concentrator - health care client
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 13 Dec 2004 20:34:27 +0100

comments inline

Typically the VPN Concentrator is deployed in parallel with a 
firewall.

If you use a VPN-Concentrator, then you should definately have it in a DMZ.

Opening ports in your firewall should be avoided when 
possible. 

In this case, you have to open udp500 and esp anyway, so you might as well
do it right on the firewall. If someone cracks your firewall, it doesn't
matter where the vpn-concentrator was. If you are not planning on using
RADIUS or some other kind of external auth, then you might want a
concentrator as well as a firewall. If you are using external auth then it's
not too evil to use a firewall for vpn. It's not like you have to open
management ports from the outside or anything.

If you are
going to use the concentrator anyway, deploy it outside the firewall. 

You were right the first time, parallel to the firewall is better.

Alternatively, you could use the 501 to host a VPN. Remote users can
establish a VPN connection and conncet to the web app. The 
issue with this
is that the remote users will require the Cisco VPN client. 

That's no difference to a cisco vpn-3000 in 'normal' mode. I assumed (i
know, that's a bad habit) that the original poster wanted to do a vpn with
cisco client.

Also is the
trust in remote clients, i.e. Do they have antivirus, usage 
policies, etc.
The VPN Concentrator overcomes those issues since it creates 
a clientless
SSL VPN and does not expose the internal network.

Depends on deployment, most people use cisco vpn's for L2TP/IPSec. The
Juniper or CheckPoint devices are better known (in my circles) for SSL-VPN.

Cheers,

Chris


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault