RSS
|
|||||||||||||||||||
 
 cIPro-DMZ: More VPN for Your Dollar | |||||||||||||||||||
|
By Mike Fratto
I tested a beta of the cIPro-DMZ and concluded that the gateways share only housing and power supplies: They are separate VPN devices, handling traffic and management individually. Fortunately, this approach affords you some flexibility in configuring your enterprise security; you can divide your private network and your extranet into distinct segments. On the down side, the cIPro-DMZ is not managed as a single unit, so you will have to coordinate the security rules for both of the cIPros. With a single cIPro-DMZ in the basic VPN model (see the diagram "Network Models" below), you begin by building a VPN in which all tunnels terminate at a single IP address (through which all traffic is transmitted).
The cIPro-DMZ expands on the basic model by segmenting the incoming traffic. For example, traffic destined for the public DMZ is transmitted through a tunnel terminated at the IP address of 10.1.1.1, while traffic destined for the private network is distributed through a tunnel terminated at 10.1.1.2. At no point is the tunnel traffic mixed. Because the VPN traffic is being handled by different encryption engines, performance degradation on one segment won't affect traffic on the other segment. Of course, this model could easily be accomplished with two cIPros--though at a higher cost. (Keep in mind that you will need two public addresses to serve two DMZs.) Other configuration methods are also available. I set up the cIPro-DMZ as both a VPN and a firewall. In this scenario, I configured one cIPro as a VPN and the second VPN as a firewall (see the diagram "VPN + Firewall," at left).
 During testing, I connected the VPN's private interface to the firewall's public interface. With this configuration, I segmented both the VPN and firewall functionality, as well as the management. This allowed me to configure the VPNs, adding and deleting tunnels as necessary, while controlling access to the internal network through the firewall. The benefit of this configuration is a single point of administration for the VPN and the firewall. Individual Initializing With two cIPro gateways in the cIPro-DMZ, I had to initialize each device individually--a fairly tedious task that requires inserting a hardware token and manually entering a secret key. Once that's completed, the cIPro is ready to obtain its profile from the cIPro-CA certificate authority. When I launched a Hewlett-Packard Co. HP OpenView-based management application, I was presented with three icons--one for the cIPro-CA and one for each cIPro. I then had to configure each unit in the Secure DMZ individually, which creates an opportunity for misconfigurations. For example, if I wanted to manage a server on the Public DMZ from the private network, I would have had to add rules to enable access in two places. If RADGUARD had integrated the cIPro-DMZ's management into a single unit, then those two rules could have been combined into one. Send your comments on this article to Mike Fratto at mfratto@nwc.com.
|
|
|
|
ArrowPoint CSS-100 Switch: Layer-by-Layer Load-Balancing By Joel Conover Marketwave Hit List Enterprise 4.0 Tops Log-Analysis Charts By Jeffrey Rubin with Ricardo Reimundez Global Dispatch Juggles Site Workloads By barry Nance  Print This Page E-mail this URL
|
|||||||||||||||
 |
|||||||||||||||||||
|
| |||||||||||||||||||
our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at Best of the Web
Data deduplication: Declawing the clones
Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.
Compression, Encryption, Deduplication, and Replication: Strange Bedfellows
One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.
WAN Optimization Whitelists and Blacklists
Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.
WAN Optimization as a Managed Service: It's Not About the Cost
This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.
