mailing list archives
Re: Integrated VPN/FW Paranoia
From: Kevin <kkadow () gmail com>
Date: Mon, 22 May 2006 18:15:30 -0500
On 5/22/06, Cary, Kim <Kim.Cary () pepperdine edu> wrote:
Well, for months I've been saying: "When you get the VPN, we'll put it on
its own subnet/vlan behind the firewall." Now, I can see the administrative
pressure coming to use the VPN device (ASA5520) as the firewall and the VPN.
Value engineering, IMO.
This,IMHO, is what Cisco wants you to deploy.
Not that it is a bad approach, just lacking defense-in-depth.
If we have to 'restart' the VPN for some reason,
I don't want to restart the firewall
Nor vice-versa. In my environment we have different teams handling
routing (including site-to-site VPN) and security (including end-user
VPN). And it's a toss-up into which camp a Cisco "firewall blade" or
ASA device would fall, so we have political reasons for distinct
hardware for each function.
Would you put an integrated device in front of your class B network and
expect it to both protect (fw) and serve (vpn)?
I wouldn't -- unless budget is the prime (sole) driving force.
Generally what I've deployed is a (stateful, if money permits) packet
filter on the outermost edge, with a dedicated VPN tunnel-terminator
device (VAM, etc) behind the first layer of filtering. An interface
on the VPN device connects into a "real" firewall where traffic from
VPN, vendors, and other foreign networks is inspected.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com