[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VPN traffic and Firewall traffic in the same 'box'

To: ipsec@lists.tislabs.com
Subject: VPN traffic and Firewall traffic in the same 'box'
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Fri, 10 Mar 2000 10:30:24 -0000
Sender: owner-ipsec@lists.tislabs.com


I'm interested in what folk think on the 'wisdom' of performing Firewall and
VPN gateway (IPSEC) features in the same system/gateway/router.

Some customers are apprehensive about dealing with 'dirty' traffic and
'clean' traffic in the same security system could present risks, others are
happy for these features to co-exist.  

The company I work with, and I'm sure many others, have a few 'fully
managed' firewalls/DMZ to reduce the risks, and require small remote sites
to use these main firewalls. The VPN equipment is separate, even with
independent Internet feeds. This model has some scalability issues I guess,
and it seems wasteful for remote sites using Internet-based VPNs to access
the corporate network to not have their own direct firewall features.

Others have augmented an existing firewall with VPN functionality, or
purchase dual personality devices from the outset.

I have been involved in some LAN-LAN VPN offerings that offer a good price
and SLA on the understanding that the connection will not allow (simple
filtering) traffic onto the wider Internet, but just between sister LAN
sites. I guess this keeps the 'off-network' traffic costs down for the
provider. In this case, simple access filters (on the private interface) and
VPN on the public side, would seem plenty.

Views?

Cheers, Steve.

Prev by Date: MAC speeds
Next by Date: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-00.txt
Prev by thread: I-D ACTION:draft-ietf-ipsec-ciph-aes-cbc-00.txt
Next by thread: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-00.txt
Index(es):
- Main
- Thread