On Fri, Nov 10, 2006 at 09:34:42AM -0600, Albert Chin wrote:
> With the following firewall configuration, what recommendations does
> anyone have for how we should handle VPN? I see two solutions:
> 1. Forward ipsec from FIREWALL 1 to FIREWALL 2 with isakmpd running
> on FIREWALL 2.
> 2. Run isakmpd on FIREWALL 1 and nat the traffic from the VPN
> network to FIREWALL 2.
>
> I like method #2 because it doesn't allow direct access to isakmpd
> from the Internet.
>
> -----------------
> | INTERNET |
> --------o--------
> |
> |
> ------------o------------
> | |(dmz)
> +--------o FIREWALL 1 o-----
> | | |
> | -------------------------
> |
> |
> | -------------------------
> | | |
> +--------o FIREWALL 2 |
> | |
> -------------------------
> |(internal network)
I'd just run isakmpd on FW1, especially if the VPN is mostly used to
access the internal network.
If there happens to be a big bug in isakmpd, you only expose the DMZ;
and if you misconfigure the firewall, which is a lot more likely, you
only expose the DMZ.
Of course, if server A is only reachable internally and via VPN, FW2
must still trust FW1 to only feed it connections to server A that are
actually initiated by a VPN client. FW2 doing a second layer of
filtering seems to be the main point of the setup, so handle that.
You won't be able to do any reasonable filtering on isakmpd anyway.
Joachim
