Simple firewall and VPN question
 

Can somebody give me a straight answer, should you put your firewall software and VPN software on one machine (appliance) or separate them onto two machine (appliances)?

If you are setting up a VPN, then you are essentially on the same LAN as the other network. How you set up your firewall on the VPN server side is really dependent on how much you trust or want to allow the client to see.

Sometimes firewall rules on the host VPN side cause NATing errors on the VPN connections. I have had $150/hr CCIE's working on this issue, and it is still more art than science. Cisco has the same problems with running VPN services on a PIX firewall. They use something called a VPN concentrator which is essentially a VPN server without the firewall. Doing keep-alives and timeouts for key exchanges sometimes runs into problems with NATing through a firewall. It shouldn't, but it does.

I would give you a straighter answer, but the question is generic. Garbage in garbage out, as it were. Hope this helps.

"but the question is generic"

your right and I hate asking these types of questions but nobody I have spoken to (a couple of Cisco people and one MSCE) or anything I googled could say one way or the other.
I get responses of " it depends on the machine", "put both on one machine" to "keep them seperate"

This site is usually the best at answering most of my question.
Thanks for the response

Answer straight from the book....
 

Hello,

If I can quote from a book called Linux Firewalls by Robert L. Ziegler, 2nd Ed, p.522, Appendix C VPN

"VPN and Firewalls

A VPN can placed in front of a firewall, placed behind a firewall, or be part of a firewall implementation. Placing the VPN in front of a firewall is not very common. It is more common to use a fiewall/VPN combo or to put the VPN behine the firewall iteself.

Combining a VPN system and a firewall is one of the more flexible solutions. It also requires less hardware and this gives a single point of failure. However, I want to stress that the best solution is to have a VPN behind the firewall or as part of a DMZ configuration..."

I would quote more but perhaps you ought to buy the book ISBN. 0-7357-1099-6.

Anyway, I too am wrestling with how to implement firewalls and VPNs. I would like to steer away from a Micro$oft solution. If we are to have the VPN or a separate machine from the firewall (iteself a separate machine) then that means two Linux boxes on either side on a connection that straddles the Internet, 4 in all! Seems rather a lot. I am currently considering buying a Netgear/Linksys box of tricks that has the State Package Inspection firewall (sames as iptables) as well as inbuilt firewall IPSEC etc. I can't help feeling that the dedicated machine solution is perhaps best here. But, I worry about it not working. I mean if I build a cheapo Linux box and it doesn't work (as a firewall/VPN) then I can usually get it to do something else (i.e. the advantage of a general purpose box) and convince myself that I haven't wasted money. If these said Netgear/Linksys routers fail to deliver then they become expensive white elephants unusable for anything else.

I sincerely hope you get things sorted and perhaps you can post to this website with your experience please.

Regards,

Meadensi

I have a linux box running clarkconnect with a proxy, VPN, and firewall. IPCOP also does this, and is free. I consider it a server and as such have a 3ware card with mirrored drives and lots of RAM for the proxy server piece. It works fine and has been running on a couple of my businesses for about 2 years now.

The routes are usually the tricky part if you have multiple internal VLAN's. But easy to fix with a route add statement.

You can get a dedicated box from cisco or another, but it will cost you out the ass. $20,000.00 plus subscription fees compared to free or $250 for 5 years plus a $1200 stacked linux box is a big difference.