From: Eric D. Thiel (ccierslab@onefishtwofish.org)
Date: Wed Oct 02 2002 - 02:39:51 GMT-3
My take on this is that I will always avoid terminating VPNs on the border
router. The reason is that you then allow access in through the PIX based on
the assumption that it is coming through the VPN tunnel. However, if someone
is able to get packets to the PIX that APPEAR to be from the tunnel, they
get in to the network.
For example, if your VPN tunnel users show up as 10.10.10.0/24, then you
will probably add a rule to the PIX to allow 10.10.10.0 to talk to your
internal subnets. However, the PIX is assuming that any traffic from
10.10.10.0 hosts was successfully validated by the VPN router. If someone is
able to break the router somehow, they don't need to break through your
firewall. You've already opened it up for them. Since security is only as
strong as its weakest link, I always try to use my most secure devices for
important functions.
As for limiting traffic by limiting your crypto access list, you should
really use inbound ACLs instead. I found this page:
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.htm that
says:
"You might consider using the cryptographic ACLs for rudimentary network
security access control, but Cisco does not recommend this scenario because
it complicates the configuration significantly. Rather, you should use
inbound ACLs on the VPN devices for site-to-site traffic"
Eric
----- Original Message -----
From: "Larson, Chris" <CLarson@usaid.gov>
To: "'Armand D'" <ciscoworks2001@yahoo.com>; <ccielab@groupstudy.com>
Sent: Tuesday, October 01, 2002 8:56 AM
Subject: RE: Site to Site IPSec Tunnel
> A lot of this depends on what you are trying to protect and who is using
the
> tunnel. If you do a tunnel from PIX to PIX and it is subnet based then the
> users of the tunnel are not subject to the rules of the firewall. You can
> create your crypto access-list to be more specific and base the tunnels on
> host and even down to host and port. This provides more security but it
stil
> does not subject the tunnel users to any of the firewall policies (except
> thsoe required to make the tunnel).
>
> If you want VPN users to be subject to firewall policy then I would do it
> from the routers, that is if the traffic and keying is not overwhelming to
> the perimeter routers resources. You can then still subject these users to
> firewall policy.
>
>
> > -----Original Message-----
> > From: Armand D [SMTP:ciscoworks2001@yahoo.com]
> > Sent: Tuesday, October 01, 2002 11:06 AM
> > To: ccielab@groupstudy.com
> > Subject: Site to Site IPSec Tunnel
> >
> > Hi,
> >
> > I'm wondering if anyone has any suggestions on which
> > configuration is preferred when running a simple vpn
> > tunnel over the public Internet using IPSec. Medium
> > traffic over the tunnel.
> >
> > In my configuration I have two routers and two PIXs. I
> > know it can be done from router to router or from PIX
> > to PIX. Which one is preferred and why ?
> >
> >
> > PIX 515---2620-------isp--------2620-----PIX 520
> >
> >
> > Any feedback would be appreciated.
> >
> > Armand
> >
> > http://mobile.yahoo.com.au - Yahoo! Messenger for SMS
> > - Always be connected to your Messenger Friends
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:36 GMT-3