VPN pass thru benefits?

hey guys
we have some vpns setup at work that are fwl vpn passthru and some not. but
the benefit of vpn passthru is ACL filtering (limiting what the vpn can do?)
but I am confused because the vpn is established thru the fwl but I am confused because how can a vpn be allow thru a fwl and be a IPSEC tunnel? I guess I
do not understand having a vpn hit your dmz an dthe go thru a asa 5510 and then
come out thru the vpn device and then have a lan side in a vpn? huh?

Find more posts tagged with

Comments

instant000

itdaddy wrote: »

hey guys
we have some vpns setup at work that are fwl vpn passthru and some not. but
the benefit of vpn passthru is ACL filtering (limiting what the vpn can do?)
but I am confused because the vpn is established thru the fwl but I am confused because how can a vpn be allow thru a fwl and be a IPSEC tunnel? I guess I
do not understand having a vpn hit your dmz an dthe go thru a asa 5510 and then
come out thru the vpn device and then have a lan side in a vpn? huh?

Good evening.

I believe you asked this question before. I'm of the mindset that the VPN should be terminated outside the firewall. One of the main reasons I've seen people use for making VPNs go through firewalls is laziness. (They don't want to worry about filtering the traffic based upon all the ports and networks that the apps may need to work properly.) It also makes you less secure, as all that encrypted traffic is most definitely not inspected by the firewall. If you ever sniff that traffic, it should look like gibberish, which means that your firewall won't be able to inspect it.

There is a balancing act.

I believe Donahue said you could always get two out of three:
1. Cheap
2. Working
3. Secure

It seems that your setup has chosen 1 and 2. (Note that cheap doesn't necessarily mean just money, it could also mean time, and time costs money, too!)

Since I've commented on this topic before, and voiced my opinion before, I don't want to sound like I'm beating you down about this. If you have specific questions about my response that you don't understand, please ask them. (Maybe I misunderstood you, for example, and am way off base.)

Hope this helps!

Bl8ckr0uter

I agree with instant. Unless there is a technical capability that is holding you back, terminate your vpn's at the firewall. Unless it is a SSLVPN to any cisco device. Then I would say stay the hell away from WebVPN POS trash. OMG it is awful.

itdaddy

instant000
yeah dude I did ask this before but I could not find the thread. hahah sorry if I sound like a moron I am really not haha
I am just learning so much stuff right now.. yeah the previous engineer made 2 contexts Internt, admin of course, and Private
and has vpns going thru the firewall and I got to thinking why? and thanks for your response....sorry for asking too many times
but sometimes I lose it hhhahaha LOL but thanks for you words of wisdome..(TRUE)

itdaddy

Then I would say stay the hell away from WebVPN POS trash. OMG it is awful.

haahha omg is that funny I will bud ahah