(1) The Cisco Concentrator allows admin to put filter at the public interface, the private interface, as well as at the VPN groups (users) level. While I don't think it is doing any stateful inspection, it does offer up to layer 4 protection.
(2) Having the Concentrator behind a firewall **may** have one issue you need to deal with IF you are going to use Cisco WebVPN feature. I didn't really use WebVPN, but in my testing you would need to pay some special attention about SSL certificate setup. -raymond At 10:33 AM 5/26/05 -0400, you wrote: >Yes, correct, I didn't phrase that properly. One issue I would see with your >method is that the external interface of the concentrator is still fully >exposed to the Internet. I feel better having Check Point's stateful >firewall in front of everything because, well, it is a firewall. > >With your method, how do you know that the traffic coming off the internal >interface of the concentrator is authorized? Is there any way for you to >limit down the concentrator trafic by user or are you doing that on the >concentrator itself? > >Take care, > >Ray > > >>From: Rob Schrack <[EMAIL PROTECTED]> >>Reply-To: Mailing list for discussion of Firewall-1 >><[email protected]> >>To: [email protected] >>Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] >>Date: Thu, 26 May 2005 00:24:52 -0400 >> >>Re: [FW-1] checkpoint | cisco concentrator [design thoughts]Short circuit >>around the firewall? That's not putting it in front, that's putting it in >>parallel. >> >>Our 3030 is entirely in front of our firewall. It's external interface is >>plugged into the same router as our IP530's external interface. It's >>internal interface is plugged INTO the IP530. That way I can filter >>inbound >>destinations & ports using the decrypted traffic. Plus I can do it using >>the same FW-1 policy that I do for anything else trying to come in from the >>Internet. >> >>Rob >>----- Original Message ----- >>From: Ray >>To: [email protected] >>Sent: Wednesday, May 25, 2005 11:12 PM >>Subject: Re: [FW-1] checkpoint | cisco concentrator [design thoughts] >> >> >>Nothing, repeat NOTHING, in my company is in front of a firewall. The >>question is not whether it should be behind a firewall, the question is why >>it should be exposed to the Internet when it could be put behind a >>firewall. >>I had a 3030 concentrator behind CP for awhile and it worked fine. We used >>UDP Encapsulation. We filtered everything hitting the concentrator to make >>sure only the needed ports and protocols were allowed. Putting it in front >>of the firewall = a potential short circuit around the firewall. A small >>potential to be sure, but it's still there and does not need to be. >>Ray >>>From: ". security" <[EMAIL PROTECTED]> >>>Reply-To: Mailing list for discussion of Firewall-1 >>><[email protected]> >>>To: [email protected] >>>Subject: [FW-1] checkpoint | cisco concentrator [design thoughts] >>>Date: Wed, 25 May 2005 20:09:56 -0500 >>> >>>We are going over a new network design, and trying to determine if this is >>>overkill. Is it necessary to put a Cisco concentrator behind a firewall? >>>I >>>haven't been able to find a a lot of documentation indacting that it's >>>necessary. >>> >>>Here's the design we've come up with: >>>-public interface, located in the dmz statically NATd to a public address >>>-private interface also located in the same DMZ but on a different network >>>this interface is pointed towards the internal network. >>> >>> >>>internet >>> | >>>[firewall]-------------------------------------------------|DMZ >>> | | | >>> | public int [NATd] private int [faces back to internal >>>net] >>> | >>>internal network >>> >>> >>> >>>thoughts? >>> >>>================================================= >>>To set vacation, Out-Of-Office, or away messages, >>>send an email to [EMAIL PROTECTED] >>>in the BODY of the email add: >>>set fw-1-mailinglist nomail >>>================================================= >>>To unsubscribe from this mailing list, >>>please see the instructions at >>>http://www.checkpoint.com/services/mailing.html >>>================================================= >>>If you have any questions on how to change your >>>subscription options, email >>>[EMAIL PROTECTED] >>>================================================= >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= >> >>================================================= >>To set vacation, Out-Of-Office, or away messages, >>send an email to [EMAIL PROTECTED] >>in the BODY of the email add: >>set fw-1-mailinglist nomail >>================================================= >>To unsubscribe from this mailing list, >>please see the instructions at >>http://www.checkpoint.com/services/mailing.html >>================================================= >>If you have any questions on how to change your >>subscription options, email >>[EMAIL PROTECTED] >>================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
