To: frankw @
net, firewall @
Subject: RE: VPN's over the internet
o Most commercial firewalls offer firewall->firewall encryption,
so extra encryption h/w or s/w isn't usually needed.
Yes, but many of the firewalls do it via software, causing potential
bottlenecks @ high bandwidth, therefore it IS beneficial to move to a hardware
platform that has a dedicated processor.
o Many (most?) firewalls when performing firewall->firewall encryption
are only providing an IP encryption tunnel through the firewalls.
You would think any 1/2-way intelligent firewall company would not allow
such a thing to happen. Why would they effectively breach the complete
functionality of the application proxy server? If they fully trust the other
entity they should add in the appropriate rulesets to allow such behavior. The
idea of "I have a VPN therefore I bypass my proxy based services" is obscene.
It is important to note that *NO* applications filtering is performed.
While this may offer protection from a MITM (Man-In-The-Middle) attack
(Internet, etc), it offers *NO* protection from the other entity's
network. A problem on their network is a problem on your network.
If this is true, again, if you moved to an independant hardware solution
you would be able to still have the complete functionality of the proxy
o It is usually beneficial to firewall VPN connections to localize
contamination in the event one of the VPN entities is breached.