On Fri, Nov 10, 2006 at 09:34:42AM -0600, Albert Chin wrote:
> With the following firewall configuration, what recommendations does
> anyone have for how we should handle VPN? I see two solutions:
>   1. Forward ipsec from FIREWALL 1 to FIREWALL 2 with isakmpd running
>      on FIREWALL 2.
>   2. Run isakmpd on FIREWALL 1 and nat the traffic from the VPN
>      network to FIREWALL 2.
> 
> I like method #2 because it doesn't allow direct access to isakmpd
> from the Internet.
> 
>                   -----------------
>                  |     INTERNET    |
>                   --------o--------
>                           |
>                           |
>               ------------o------------ 
>              |                         |(dmz)
>     +--------o        FIREWALL 1       o-----
>     |        |                         |
>     |         -------------------------
>     |
>     |
>     |         -------------------------
>     |        |                         |
>     +--------o        FIREWALL 2       |
>              |                         |
>               -------------------------
>                               |(internal network)

I'd just run isakmpd on FW1, especially if the VPN is mostly used to
access the internal network.

If there happens to be a big bug in isakmpd, you only expose the DMZ;
and if you misconfigure the firewall, which is a lot more likely, you
only expose the DMZ.

Of course, if server A is only reachable internally and via VPN, FW2
must still trust FW1 to only feed it connections to server A that are
actually initiated by a VPN client. FW2 doing a second layer of
filtering seems to be the main point of the setup, so handle that.

You won't be able to do any reasonable filtering on isakmpd anyway.

                Joachim

Reply via email to