Hi Aylton,
It is not really an authentication issue as such (although that comes into play -
using straight PPTP is not exactly foolproof by any means) but one of convenience
combined with increased security between the firewalls.
With one FW-1 box you are authenticated at the firewall, and have access to the
resources that you allocate in FW-1.
With two firewalls, one behind FW-1, VPNs are much more difficult. Imagining we are
going to have our VPN endpoint at the first firewall, for access to simple things like
NT shares, not to mention applications like Outlook, you have to open up multiple
ports to multiple servers on the internal firewall. In this instance it is hardly
worth having the second firewall there if you are going to open up so many ports to
the internal network. Better to have one port and GRE open to one server after the SR
connection is made. This will also simplify admin for resources since the RAS server
is allocating IPs, and handling access to the internal network resources.
It seems the only problem is getting it to work consistently.......
Regards
JP
-----Original Message-----
From: Aylton Souza, CISSP [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 24, 2001 7:34 AM
To: Jean-Pierre Harvey; 'Wehmeier, Andreas'; Fw-1-Mailinglist (E-mail)
Subject: Re: [FW1] PPTP thru SecuRemote ...?
Hi Jean Pierre.
Hm.. I understand, but for the other hand it increases the TCO and related management
in a way the pay off is questionable,
Maybe a good combination of strong vpn/ fw (as vpn-1 is) and good authentication (as
certificates / securid) could make better, considering the administration point of
view...
Suggestions and thoughts welcome...
application/ms-tnef
