For When You Can't Have The Real Thing
[ start | index | login ]
start > Interface-based VPNs

Interface-based VPNs

Created by dave. Last edited by dave, 3 years and 278 days ago. Viewed 934 times. #1
[edit] [rdf]
labels
attachments
(2015-03-10)

Something which I realized a few years back and have not read anywhere before or since:

If you are messing around with interface-based VPNs (on your JunOS or ScreenOS firewall), the temptation is to put them in the untrust zone. VPNs are untrusted, right?

The downside of doing this is that most of the time you are going to end up subverting your own policy rules controlling traffic flow to the far sides of the VPNs. This is because most of the time you are not at a high security site and you have the equivalent of a (Trust->Untrust)(any/any/any->Permit) rule at the bottom of your outbound zones.

So if you are carefully using policies to permit specific traffic across the VPNs, you have to be sure to just as carefully exclude everything else across those VPNs, otherwise the bottom rule is just going to happily permit it.

This is obvious in hindsight but I've never seen it written anywhere as a sort of gotcha warning.

My solution to this problem is to create a new zone called "VPN" whenever possible and use trust->VPN policies to control the traffic flow, since there is an implicit deny for any traffic that is not explicitly permitted.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt