Figure 1026 Semitrusted IPsec Topology Integrated Firewa

flcmolc Uîor IP&K

[View full size image]

i Psec GakNMy i^ic^riiiefl Siateiul Firev^a"

ACLfl Slop AN N(HV:PMC TrsJiic lo Ci tewey flcmolc Uîor IP&K

[View full size image]

i Psec GakNMy i^ic^riiiefl Siateiul Firev^a"

ACLfl Slop AN N(HV:PMC TrsJiic lo Ci tewey

Pos^ecrvption Filtefnj at U3-L7

Figure 10-24 shows the main difference in the semitrusted topology when compared to trusted: traffic i! firewall after decryption. This allows you to define the applications that can be run by remote IPsec conr way that you can restrict the access for Internet users into your private network.

Pos^ecrvption Filtefnj at U3-L7

Cu'icnai h IDS

Figure 10-24 shows the main difference in the semitrusted topology when compared to trusted: traffic i! firewall after decryption. This allows you to define the applications that can be run by remote IPsec conr way that you can restrict the access for Internet users into your private network.

One policy around this limited access might provide only web and e-mail but not SSH or Telnet. For mos however, this level of restriction is not appropriate for the general user population. For remote access, y denying specific applications dictated by your policy and then permitting everything else.

In addition to providing restrictions on applications and services, the firewall acts as an audit point as w enforcement point for NIDS. By logging access at the firewall, you can have consistent access records o communications initiated by your remote users. As discussed in Chapter 7, NIDS has particular issues w a security violation through TCP resets or shunning. These issues are lessened when run against your in Accidentally blocking an employee who triggered a NIDS alarm is a lot less costly than accidentally bloc! customer.

Figure 10-25 shows the same design modified to allow all traffic to flow into and out of two interfaces or You might prefer this design to the one in Figure 10-24 for the same reasons you might prefer the desk the one in Figure 10-22.

The design in Figure 10-26 differs because the firewall functionality is integrated into the IPsec gateway easy to configure and manage, this can be an attractive alternative to using the corporate firewall for VI cases, though, you must firewall more than just IPsec traffic from remote users. You might have traditio additional VPN devices, or WAN connections. In these cases, it is more appropriate to use a dedicated fi all of these remote access methods, as shown in Figure 10-27.

Figure 10-27. Centralized Remote Access Firewall

Figure 10-27. Centralized Remote Access Firewall

This kind of a design is further discussed in Chapter 13.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment