Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Integrated VPN/FW Paranoia
From: "Cary, Kim" <Kim.Cary () pepperdine edu>
Date: Mon, 22 May 2006 09:15:47 -0700

Hi all,

Well, for months I've been saying: "When you get the VPN, we'll put it on
its own subnet/vlan behind the firewall." Now, I can see the administrative
pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
Value engineering, IMO. 

If we have to 'restart' the VPN for some reason, I don't want to restart the
firewall. Further, I want the VPN traffic dumped where our IDS can see it
before it goes elsewhere (hence the desire to put it on its own subnet). I
realize I'm somewhat inexperienced here, so any opinions from the list
members would be appreciated. 

Would you put an integrated device in front of your class B network and
expect it to both protect (fw) and serve (vpn)?

If you had to support both internal customers using VPN for auth/encrypt
access to 'special' ports related to secured apps as well as remote
customers just trying to use vanilla 'lan' apps would you put your VPN on
the border?

Thanks much!
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]