mailing list archives
RE: Vpn concentrator - health care client
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Mon, 13 Dec 2004 20:34:27 +0100
Typically the VPN Concentrator is deployed in parallel with a
If you use a VPN-Concentrator, then you should definately have it in a DMZ.
Opening ports in your firewall should be avoided when
In this case, you have to open udp500 and esp anyway, so you might as well
do it right on the firewall. If someone cracks your firewall, it doesn't
matter where the vpn-concentrator was. If you are not planning on using
RADIUS or some other kind of external auth, then you might want a
concentrator as well as a firewall. If you are using external auth then it's
not too evil to use a firewall for vpn. It's not like you have to open
management ports from the outside or anything.
If you are
going to use the concentrator anyway, deploy it outside the firewall.
You were right the first time, parallel to the firewall is better.
Alternatively, you could use the 501 to host a VPN. Remote users can
establish a VPN connection and conncet to the web app. The
issue with this
is that the remote users will require the Cisco VPN client.
That's no difference to a cisco vpn-3000 in 'normal' mode. I assumed (i
know, that's a bad habit) that the original poster wanted to do a vpn with
Also is the
trust in remote clients, i.e. Do they have antivirus, usage
The VPN Concentrator overcomes those issues since it creates
SSL VPN and does not expose the internal network.
Depends on deployment, most people use cisco vpn's for L2TP/IPSec. The
Juniper or CheckPoint devices are better known (in my circles) for SSL-VPN.