Howard,
Comments imbedded:
On 29 Mar 2001, at 13:04, Howard C. Berkowitz wrote:
<snip>
> > There should also be no way for
> >an untrusted network to bypass your firewall, which there is in this
> >design.
>
>
> Kent, I'd be interested in your opinion about an approach I've
> increasingly used. Do you consider it evil?
>
> Traffic comes onto the DMZ from an external screening router. If it
> is destined for anything not on the DMZ, the options include:
>
> -- for IPsec transport mode and other encrypted traffic, send to
> a router with basic filtering (e.g., verify reverse path and
> drop traffic with source addresses and your internal network)
> and traffic policing (to prevent flooding), and let it into the
> network. A firewall not participating in the end-to-end
> encryption can't do anything with the packet -- why load up the
> firewall with conduits?
>
The decision of where to terminate ones IPSec tunnels is a bit of a
religious debate, but my preferred approach is to terminate them on
the perimeter on a VPN box in front of the firewall.
There are arguments as to whether the VPN box can reside in
parallel with the FW, and there is a school of thought that says
"yes", especially for performance reasons. I prefer to have only
one way in and out of my security perimeters from a functional
perspective, load-balancing a set of firewalls if its necessary for
throughput, but keeping the policies consistent.
As for passing encrypted tunnels through the FW, I don't like
letting this sort of traffic through a security perimeter. It makes any
sort of IDS all but worthless and its usually not necessary. There
are always exceptions and there may be cases where one just
cannot terminate the tunnels on the perimeter, but as a general
rule of thumb I don't do it.
> -- for traffic using SSL proxies, send to an appropriate gateway,
> which
> MAY be the firewall. Same thing for IPsec tunnel mode security
> gateways.
Same argument as above. :-)
As you know, there are no absolutes, there are always exceptions
to every rule. Very high-speed or very complex envrionments
always stretch the rules of thumb we like to use. However, in all
but the "one-off" scenarios, I try to follow a consistent architecture:
terminate all encrypted tunnels on a security perimeter and have all
traffic flow through a firewall(s) that enforce policy.
I've found that this design makes for a very consistent, manageble
and more secure perimeter.
My .02,
Kent
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
