Placing a Firewall and VPN Gateway

Hey thanks sidd 4 Ur offer
I'm brand new beginner in networking. need some advice here.. that's why firewall.cx rocxxx!! thanks dude to for this site

i'm doin my school thesis about VPN. my question is where is actually the best and the most commonly used method to place the firewall and VPN gateway?
should the firewall come be4 the VPN, after the VPN, or together in a machine?
thx alot

First of all, you need to understand that a VPN is a secure entry into your private network. It makes your computer (or your private network) part of another private network - as if you were physically part of the network (where you would be behind the firewall - hopefully). Your virtual connection is equivalent to a physical connection.

You can put the VPN endpoint before, after or parallel to the firewall, with pros and cons to each. The most common is parallel or behind the firewall. This may require some changes to firewall to handle the VPN traffic.

You can also use a router or firewall that has VPN on it - which would be the easier way to configure (but not necessarily the best way as it would require more processing for the device).

Many ways to skin a cat.

Just remember that you are allowing someone from the outside, whether a client-to-Lan or a Lan-to-Lan style VPN. This can be very dangerous if you cannot depend on the other side of the tunnel being secure. It is possible to attack your system from the system on the other end through the secure pipe (as it is now acting as if it already on your network). This could be a problem, because if you assume you are secure you may drop your guard on protecting yourself. I had this problem myself where our system was secure until we were bought out by another company and they VPN’d their system to ours and we got hit by the Code Red, Code Red II and Nimbda. They all came from the new company, who had been infected, straight through the firewall. If you don’t think that was a lot of fun ….

If you are writing a thesis about VPNs, here are some articles that might help.

IP VPN Services
www.networkmagazine.com/shared/article/s...ml?articleID=8703357

What is a Virtual Private Network
www.networkmagazine.com/shared/article/s...ml?articleID=8706528

VPN Vulnerabilities
www.networkmagazine.com/shared/article/s...ml?articleID=8703359

This is an interesting article about the Sapphire Worm (Slapper), that caused such a ruckus just lately, and how it could go right through the VPN and cause a little havoc.

www.networkmagazine.com/shared/article/s...ml?articleID=8703534

Hope this helps,

Tom.

To ease administration using the firewall as the VPN endpoint can be a good idea, alot of application level firewalls have built in VPN support, for example CheckPoint Firewall-1 has native VPN support, so if you were using that as a firewall, then it might make sense to use it as a VPN termination point as well.

There are many VPN configurations, I recommend you follow all Tom's links and read up on them as these days VPN's are the hot networking buzzword


Sahir

Hey ice_hero I noticed you said your doing your school thesis on VPN, are you writing a paper? What school? I was just wondering because I here for your masters you have to write a thesis on your major topic or something like that. I was just wondering. Now that I think of it, its alot better to write a paper on VPN's or networking and creating a thesis on that then the stuff they give you saying compare and contrast uhhhh political issues blah blah...lol :lol: But private message me and tell me about yourself. Im always lookin for new puter gEEks online. I was just tellin Admin that its hard to find true puter gEEks anymore. If anybody else wants to share some puter knowledge, private message me. l8er l33t 0nes!!

ZiPPy

thanks to all of you guys.. that was helpful :lol:
zippy: it's not really a school thesis to be precise. it's more to an assignment both theory and practical.
anyway I'm doin it 4 a personal learning also

Hey Icehero,

Let me know if you would consider publishing your findings on the site, as there are plans to create a section where our members can publish their material in order to share it with everyone else.

Before we proceed with it thought, we want to see how many people would be interested in sharing articles and other work they have done.