mailing list archives
Integrated VPN/FW Paranoia
From: "Cary, Kim" <Kim.Cary () pepperdine edu>
Date: Mon, 22 May 2006 09:15:47 -0700
Well, for months I've been saying: "When you get the VPN, we'll put it on
its own subnet/vlan behind the firewall." Now, I can see the administrative
pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
Value engineering, IMO.
If we have to 'restart' the VPN for some reason, I don't want to restart the
firewall. Further, I want the VPN traffic dumped where our IDS can see it
before it goes elsewhere (hence the desire to put it on its own subnet). I
realize I'm somewhat inexperienced here, so any opinions from the list
members would be appreciated.
Would you put an integrated device in front of your class B network and
expect it to both protect (fw) and serve (vpn)?
If you had to support both internal customers using VPN for auth/encrypt
access to 'special' ports related to secured apps as well as remote
customers just trying to use vanilla 'lan' apps would you put your VPN on
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
- Integrated VPN/FW Paranoia Cary, Kim (May 22)