Trusted IPsec Topology

Figures 10-22 and 10-23 show two variations of a topology in which the IPsec VPN is trusted and grante par with internal users or privately connected WAN links. In both designs, site-to-site and remote user V onto the same gateway device, which is not appropriate in larger networks.

Figure 10-22. Trusted IPsec Topology iPsfic Gateway

Figure 10-22. Trusted IPsec Topology

F1 emote Site IPsec

Figure 10-23. Trusted IPsec Topology (alternative)

Figure 10-23. Trusted IPsec Topology (alternative)

As you can see, these are two variations on the same theme. In Figure 10-22, traffic to the IPsec gatew the WAN router after passing an ACL check ensuring that the traffic is IPsec. Remember that if you are UDP or TCP encapsulation, to allow remote users to cross a NAT device you must allow this traffic in add 500) and ESP (IP 50). After authentication and decryption, the traffic is passed directly to the internal n upper-layer filtering.

Figure 10-23 changes this only slightly by routing the IPsec traffic from a dedicated interface on the fire network. Either design fulfills the connectivity goal. The firewall doesn't provide any added security. Bec encrypted, there is no real value the firewall can provide that an ACL can't, save one: to detect attacks gateways, you can audit the access control logging information. By filtering at the firewall, this data can without having to view the information from another source. Still, you should audit the information from router anyway (for other security events), so this benefit is marginal.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment