Which one is a better design?

cisco24x7 · ‎12-28-2007

Objective: Provide site-2-site VPN, remote access VPN and protect servers farm.

Which is a better design? I feel much

more comfortable having the VPN concentrator being protected by the firewall; however, at the same time,

both encrypted and decrypted traffics will have to traverse the firewall twice,

thus it may impact the firewall performance.

I prefer design_2 but I would like to get

comments from security gurus in this forum. Thanks.

palomoj · ‎12-28-2007

Both designs are good since you are enforcing security for the VPN3K before it hits the internal network. I have seen too many implementations where the VPN3K private interface sits directly on the internal network without passing through a firewall interface. Design 2 is the best since the firewall enforces security on both the public and private interfaces. If you're worried about performance upgrade to a more robust model on the Checkpoint.

My 2 cents :)

richf · ‎12-28-2007

If you have a router on the outside of the Concentrator with good ACL's then I would stick to design 1. I don't think you will really benefit from any added security from the Checkpoint in this case.

Kudos to having the inside interface connected through the firewall.

Jon Marshall · ‎12-30-2007

Hi

I would go with design 1.

If you would like to protect the outside interface of the VPN3K then you could add some acl lines to only allow IPSEC/PPTP/L2TP (you pick) to the outside interface of your VPN3K.

One plus point to having the VPN3K alongside the firewall rather than behind it is that you do not have to worry about NAT issues which can present problems with IPSEC.

Key thing as pointed out already is that your private interface is filtered by the firewall before the traffic enters your internal LAN.

Jon