LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-21-2005, 03:18 PM   #1
qennster
LQ Newbie
 
Registered: Feb 2001
Location: St. Louis
Distribution: Trying to use Ubuntu
Posts: 22

Rep: Reputation: 15
Simple firewall and VPN question


Can somebody give me a straight answer, should you put your firewall software and VPN software on one machine (appliance) or separate them onto two machine (appliances)?
 
Old 04-21-2005, 05:36 PM   #2
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
If you are setting up a VPN, then you are essentially on the same LAN as the other network. How you set up your firewall on the VPN server side is really dependent on how much you trust or want to allow the client to see.

Sometimes firewall rules on the host VPN side cause NATing errors on the VPN connections. I have had $150/hr CCIE's working on this issue, and it is still more art than science. Cisco has the same problems with running VPN services on a PIX firewall. They use something called a VPN concentrator which is essentially a VPN server without the firewall. Doing keep-alives and timeouts for key exchanges sometimes runs into problems with NATing through a firewall. It shouldn't, but it does.

I would give you a straighter answer, but the question is generic. Garbage in garbage out, as it were. Hope this helps.
 
Old 04-22-2005, 07:58 AM   #3
qennster
LQ Newbie
 
Registered: Feb 2001
Location: St. Louis
Distribution: Trying to use Ubuntu
Posts: 22

Original Poster
Rep: Reputation: 15
"but the question is generic"

your right and I hate asking these types of questions but nobody I have spoken to (a couple of Cisco people and one MSCE) or anything I googled could say one way or the other.
I get responses of " it depends on the machine", "put both on one machine" to "keep them seperate"

This site is usually the best at answering most of my question.
Thanks for the response
 
Old 05-08-2005, 06:35 PM   #4
meadensi
LQ Newbie
 
Registered: Feb 2005
Posts: 18

Rep: Reputation: 0
Answer straight from the book....

Hello,

If I can quote from a book called Linux Firewalls by Robert L. Ziegler, 2nd Ed, p.522, Appendix C VPN

"VPN and Firewalls

A VPN can placed in front of a firewall, placed behind a firewall, or be part of a firewall implementation. Placing the VPN in front of a firewall is not very common. It is more common to use a fiewall/VPN combo or to put the VPN behine the firewall iteself.

Combining a VPN system and a firewall is one of the more flexible solutions. It also requires less hardware and this gives a single point of failure. However, I want to stress that the best solution is to have a VPN behind the firewall or as part of a DMZ configuration..."

I would quote more but perhaps you ought to buy the book ISBN. 0-7357-1099-6.

Anyway, I too am wrestling with how to implement firewalls and VPNs. I would like to steer away from a Micro$oft solution. If we are to have the VPN or a separate machine from the firewall (iteself a separate machine) then that means two Linux boxes on either side on a connection that straddles the Internet, 4 in all! Seems rather a lot. I am currently considering buying a Netgear/Linksys box of tricks that has the State Package Inspection firewall (sames as iptables) as well as inbuilt firewall IPSEC etc. I can't help feeling that the dedicated machine solution is perhaps best here. But, I worry about it not working. I mean if I build a cheapo Linux box and it doesn't work (as a firewall/VPN) then I can usually get it to do something else (i.e. the advantage of a general purpose box) and convince myself that I haven't wasted money. If these said Netgear/Linksys routers fail to deliver then they become expensive white elephants unusable for anything else.

I sincerely hope you get things sorted and perhaps you can post to this website with your experience please.

Regards,

Meadensi
 
Old 05-08-2005, 11:34 PM   #5
Thoreau
Senior Member
 
Registered: May 2003
Location: /var/log/cabin
Distribution: All
Posts: 1,167

Rep: Reputation: 45
I have a linux box running clarkconnect with a proxy, VPN, and firewall. IPCOP also does this, and is free. I consider it a server and as such have a 3ware card with mirrored drives and lots of RAM for the proxy server piece. It works fine and has been running on a couple of my businesses for about 2 years now.

The routes are usually the tricky part if you have multiple internal VLAN's. But easy to fix with a route add statement.

You can get a dedicated box from cisco or another, but it will cost you out the ass. $20,000.00 plus subscription fees compared to free or $250 for 5 years plus a $1200 stacked linux box is a big difference.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Redhat Firewall VPN dwpondscum Red Hat 1 12-03-2004 04:31 PM
MS VPN Through SuSE 9.0 Firewall mephitic Linux - Networking 0 09-21-2004 03:43 PM
simple firewall question tipaul Slackware 4 09-09-2004 04:11 PM
Firewall and VPN server pilipk01 Linux - Security 2 08-26-2004 08:16 AM
VPN Question Win98->internet->Router->Linux VPN Server->Win2k Server patrickrea Linux - Networking 1 08-10-2004 02:09 AM


All times are GMT -5. The time now is 06:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration