VPN 3000 Concentrator Placement

jonlsmith · ‎10-10-2001

Cisco documentation shows the Concentrator sitting on the Internet side going around the Firewall and then connecting directly into the private network.

Is this a sound approach? Of course our Security person thinks it should go through two(2) firewalls. One between the internet and the public interface on the 3000 Conectrator, then one between the private and the internal network. Is this just way to much over kill?

I can almost understand the FW between the Internet and the public interface, let it deal with hack attempts, but the internal FW just seems overkill.

travis-dennis_2 · ‎10-10-2001

For my network I have a T1 coming into a 3640 router, coming out of the router into a 1548 MicroSwitch, then from the switch I have a connection to the Concentrator and another to a firewall. I feel middle of the road about the direct connection to the internet but not overly exposed. I am however adding an additional security measure that all users have a token for another level of authentication. Once I have this in place I will be somewhat content as you should never stop thinking about improving security. You have to temper budget with needs and arrive at a level of protection that your pencil pushers and you feel ok with. I have found a properly configured router will do a lot to keep out hackers, then the firewall and concentrator do their part as well. Keep in mind that on the Concentrator users will need to have the group name and password as well as their network password to auuthenticate.

jonlsmith · ‎10-11-2001

We currently have a 2600 with some Access-lists running as well. Looking to upgrade this to a 3600 with intrusion detection running in the near future.

We will also be using Secureid Tokens for authentication.

Does the MicroSwitch do some FW also, or is it just a Ethernet switch?

So it sounds like, we should be able to follow the Cisco recomendation, but that the FW on the public side would not necessarily be a bad thing.

travis-dennis_2 · ‎10-11-2001

The switch is just a switch as far as I know but may have some port bloacking abilities like the 3600's. I think the Cisco diagram is fairly sound. The tokens we are using are the digipass from www.vasco.com. Choose them over RSA because they have a software token that works on the PocketPC. My users have wireless VPN access through Pocket PC's and balk at carrying addition equipment. They have to now remember 2 passwords instead of one so if the device gets stolen no one can get in. Just like the hardware token but nothing more to carry around. I just got in Cisco ACS 2.6 and found out that it won't work with w2k Svc Pack 2, only Pack 1. I ust spent all night upgrading our domain from NT 4 to 2000. Version 3 of ACS will support Svc Pack 2 though but it wont be out till November. Good luck and keep it safe!