Setup VPN tunnel. Do not allow remote sites for direct Internet access... If you are using a proxy server at the corporate site ...then if they want Internet access then the have to configure your corporate proxy server on their browser.
This way you will be able to better control their internet usage and any Internet activity for any remote site has to go thru the corporate Proxy server. Yes, it is additional traffic over VPN but you have better control on those remote sites and users. Just my .002 -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of John Lindblom Sent: Monday, May 12, 2008 1:44 PM To: [email protected] Subject: Re: [FW-1] VPN Wire Mode My initial thought was with Wire Mode this location would be treated like our other remote location with a PtoP T1 line, the big difference though is the remote site with the PtoP T1 is coming through us for internet access allowing us to do web/content filtering to help control security of internet activity. The remote location in Mexico with the VPN has direct access to the internet through the Edge device with no content filtering going on. I'm starting to get a little paranoid now with this whole discussion, I think I might consider throwing a smaller web filter appliance at that location to at least allow some control over their internet access. John David DeSimone <[EMAIL PROTECTED]> Sent by: Mailing To list for [EMAIL PROTECTED] discussion of INT.COM Firewall-1 cc <FW-1-MAILINGLIST @AMADEUS.US.CHECK Subject POINT.COM> Re: [FW-1] VPN Wire Mode 05/12/08 12:51 PM Please respond to Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST @AMADEUS.US.CHECK POINT.COM> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Lindblom <[EMAIL PROTECTED]> wrote: > > I currently am not using Wire Mode for this Site-to-Site VPN with a > branch office, it appears if I enable this I could see better > performance, any reason I wouldn't want to enable Wire Mode for this > VPN? In my opinion the main disadvantage to Wire Mode is that logging is no longer performed for VPN traffic. So, if some worm or virus attack begins in a remote office and comes across your firewall, you will not have any logs to show you what's going on. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, dis- tribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you." --Lawyer Bot 6000 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIKIOIFSrKRjX5eCoRAiNxAJ9rHBtrF9SJHl0GbYBV1gsktJqzzwCeJgB1 jygVd3ZHWKimrPCrz5MIvRs= =9BJz -----END PGP SIGNATURE----- Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
