Currently our COntivity 2700 is running parallel to our PIX FW. The 2700 accepts both BoTs and remote user tunnels. I was not involved in the initial design of the VPN setup and was just wondering if it would be more secure to have the Contivity sit behind our FW instead. Of course then I would have to open up IPSEC through the FW and that might add a security hole there. What are everyone's thoughts on this? Behind FW or parallel to FW? Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Contivity behind firewall?
- Thread starter AyrishGrl
- Start date
- Thread starter
- #4
Of course this is assuming you have another IP address you can use.
In fact we use our Contivity as a backup router for some of our services (MX2 record, dns2 record). This way if the primary FW goes down we can fail over to the contivity and not lose services.
In fact we use our Contivity as a backup router for some of our services (MX2 record, dns2 record). This way if the primary FW goes down we can fail over to the contivity and not lose services.
In this scenario there are 2 separate risks that (arguably) warrant mitigation: 1) bad stuff e.g. virus that comes through with the [encrypted] vpn payload; and 2) anything else that might be trying to compromise the external interface of the contivity (syndos, cleartext, etc.).
You cannot do anything about #1 until after decryption has taken place which has been a general argument for placing FW behind VPN appliance. I don't know how parallel FW would handle this. However, that leaves nothing in place for #2 unless a second FW/IDS appliance implemented in Front of the contivity. If practical circumstances (like budget) won't allow for multiple devices, then it falls to making a call as to which of the risks seem more significant to the situation.
You cannot do anything about #1 until after decryption has taken place which has been a general argument for placing FW behind VPN appliance. I don't know how parallel FW would handle this. However, that leaves nothing in place for #2 unless a second FW/IDS appliance implemented in Front of the contivity. If practical circumstances (like budget) won't allow for multiple devices, then it falls to making a call as to which of the risks seem more significant to the situation.
There's something you haven't mentioned. Are you running the Contivity Firewall (either Stateful or Interface Filters?). If not, then the Contivity will NOT pass traffic between interfaces - the only thing it will do is Tunneling. It will be vulnerable to DoS attacks and the like, but as for penetration, you're pretty safe.
ETWatson brings up a good point that you will not be safe from problems that originate at the other end of the tunnel (your users or the "Branch Offices"), but you can set things up more safely by using TunnelGuard. Definitely look into that if you think that there could be problems on the users end.
One of the best reasons FOR running it in parallel is that you will eliminate one of the most common problems with tunnels failing to come up - firewalls. You will also maintain a better bandwidth state - your firewall handles some traffic, your Contivity handles VPN traffic.
ETWatson brings up a good point that you will not be safe from problems that originate at the other end of the tunnel (your users or the "Branch Offices"), but you can set things up more safely by using TunnelGuard. Definitely look into that if you think that there could be problems on the users end.
One of the best reasons FOR running it in parallel is that you will eliminate one of the most common problems with tunnels failing to come up - firewalls. You will also maintain a better bandwidth state - your firewall handles some traffic, your Contivity handles VPN traffic.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question