RSS
|
|||||||||||||||||||
 
 cIPro-DMZ: More VPN for Your Dollar | |||||||||||||||||||
|
By Mike Fratto
I tested a beta of the cIPro-DMZ and concluded that the gateways share only housing and power supplies: They are separate VPN devices, handling traffic and management individually. Fortunately, this approach affords you some flexibility in configuring your enterprise security; you can divide your private network and your extranet into distinct segments. On the down side, the cIPro-DMZ is not managed as a single unit, so you will have to coordinate the security rules for both of the cIPros. With a single cIPro-DMZ in the basic VPN model (see the diagram "Network Models" below), you begin by building a VPN in which all tunnels terminate at a single IP address (through which all traffic is transmitted).
The cIPro-DMZ expands on the basic model by segmenting the incoming traffic. For example, traffic destined for the public DMZ is transmitted through a tunnel terminated at the IP address of 10.1.1.1, while traffic destined for the private network is distributed through a tunnel terminated at 10.1.1.2. At no point is the tunnel traffic mixed. Because the VPN traffic is being handled by different encryption engines, performance degradation on one segment won't affect traffic on the other segment. Of course, this model could easily be accomplished with two cIPros--though at a higher cost. (Keep in mind that you will need two public addresses to serve two DMZs.) Other configuration methods are also available. I set up the cIPro-DMZ as both a VPN and a firewall. In this scenario, I configured one cIPro as a VPN and the second VPN as a firewall (see the diagram "VPN + Firewall," at left).
 During testing, I connected the VPN's private interface to the firewall's public interface. With this configuration, I segmented both the VPN and firewall functionality, as well as the management. This allowed me to configure the VPNs, adding and deleting tunnels as necessary, while controlling access to the internal network through the firewall. The benefit of this configuration is a single point of administration for the VPN and the firewall. Individual Initializing With two cIPro gateways in the cIPro-DMZ, I had to initialize each device individually--a fairly tedious task that requires inserting a hardware token and manually entering a secret key. Once that's completed, the cIPro is ready to obtain its profile from the cIPro-CA certificate authority. When I launched a Hewlett-Packard Co. HP OpenView-based management application, I was presented with three icons--one for the cIPro-CA and one for each cIPro. I then had to configure each unit in the Secure DMZ individually, which creates an opportunity for misconfigurations. For example, if I wanted to manage a server on the Public DMZ from the private network, I would have had to add rules to enable access in two places. If RADGUARD had integrated the cIPro-DMZ's management into a single unit, then those two rules could have been combined into one. Send your comments on this article to Mike Fratto at mfratto@nwc.com.
|
|
|
|
ArrowPoint CSS-100 Switch: Layer-by-Layer Load-Balancing By Joel Conover Marketwave Hit List Enterprise 4.0 Tops Log-Analysis Charts By Jeffrey Rubin with Ricardo Reimundez Global Dispatch Juggles Site Workloads By barry Nance  Print This Page E-mail this URL
|
|||||||||||||||
 |
|||||||||||||||||||
|
| |||||||||||||||||||
Upcoming Events
Cloud Connect
Santa Clara
Feb 13-16, 2012
Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.
Register Now!
Subscribe to Newsletter
- Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Vendor NewsFeed
- CollabNet Adds Git Source Code Management To Codesion Enterprise Cloud Development Platform
- Synology Announces New Line Of Economical RackStation Network Attached Storage
- New Application Server From AquaFold Makes Data Warehousing And Business Intelligence Fast And Simple
- Synology Announces 2 Bay Series - A NAS For Every Network
- Ericom AccessNow For Enterprise Portals - Secure, Portal-based, HTML5 Web Access To Windows Applications, Desktops And Services
- Good Technology Announces iOS 5 Support For Good For Enterprise
our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at Research and Reports
FEATURED RESEARCH
State of Server Technology
FEATURED STRATEGY
The Long-Distance LAN
Register for Network Computing Pro
Find hundreds of reports featuring research from your peers, and best practices from top IT pros. Sign UpAugust 2011
Video
Most Popular
Featured Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- The BlackBerry PlayBook tablet's Good Bones - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
Featured Reports
BlogRoll
TechWeb Careers
-
There are a number of job listing scams naming Network Computing. For our official career postings, please see UBM TechWeb Career Opportunities.
