On Sun, 26 Nov 2000, Kenneth E. Lussier wrote:
To weigh in with my 2 cents worth (which, in today's dollars is
probably about .5 cents):
I would keep the two boxes (firewall & VPN) separate, no matter what
power you have in the box. Why? Because it makes verification easier
- which means you get better security. With a combined system, you
have to verify the firewall code, the VPN code, the interaction
between them, etc, etc. The more permutations you have to worry
about, the more likely something will be wrong.
On the other hand, with separate servers, I can verify the firewall
rules, verify the VPN rules, and I have a known, clean interface
between them (passing of IP packets between two boxes).
Firewalls should be used as firewalls, everything else is on servers
in the DMZ, with a second firewall between the DMZ and the company.
For what it's worth, in the Orange Book levels, the difference between
B levels & A level is not features - it's mathematical verification of
the security. Don't make your equations any more complex than you
have to (Keep it Simple, Stupid, as they taught us in Engineering).
jeff
> "Derek D. Martin" wrote:
>
> > Also, in the context of the original poster's message, does this make
> > any sense? I'm still not really sure what Ferenc wanted to do either,
> > but from the sounds of it he just wanted to connect one network to the
> > outside world (either to the internet via NAT firewall, or perhaps to
> > a corporate VPN). We're probably not talking about anything even
> > close to the level of activity you're describing, and you yourself
> > told me that a single P75 would perform acceptably both as a firewall
> > and as the endpoint of a single VPN tunnel.
>
> I'll do this in reverse order:
>
> Yes, a P75 would perform just fine as a firewall and VPN gateway for
> you. On *YOUR* end. However, that P75 is *NOT* acting as a corporate
> firewall. Nor is it handling a large amount of traffic. It also isn't
> handling multiple tunnels.
>
> As for does this make sense, yes, it does. The question was how to
> connect a system to a corporate firewall, and FreeS/WAN was an example
> given. There are always two ends to the VPN tunnel. On the end users
> side, there really aren't too many things to worry about as far as
> system hardware. On the corporate side, however, there are a lot of
> things that need to be considered. Especially what to do if it doesn't
> "Just Work"(TM) and the firewall goes down.
>
-----------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9739 fax:978.446.9470
------------------------------------------------------------------------
Thought for today: Full Monty n.
See monty, sense 2.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
