Determining where you will terminate your VPNs
Planning Your VPN Configuration
2-7
Determining
where you will
terminate your
VPNs
You can configure a VPN security association on Sidewinder to
terminate in any burb. For example, Figure 2-4 shows a VPN security
association terminating in the trusted burb. It allows all network traffic
to flow between the hosts on the trusted network and the VPN client.
Other than an external-to-external ISAKMP ACL entry, you need no
special ACL entries or proxy control.
Figure 2-4. VPN tunnel
terminating on trusted
burb
Figure 2-5 shows another option that allows you to terminate VPN
traffic in a "virtual" burb. A virtual burb is a burb that does not contain
a network interface card. The sole purpose of a virtual burb is to serve
as a logical endpoint for a VPN association.
Figure 2-5. VPN tunnel
terminating on a
virtual burb
Terminating a VPN association in a virtual burb accomplishes two
important goals:
Separation of VPN traffic from non-VPN traffic
Enforce a security policy that applies strictly to your VPN users
By terminating the VPN in a virtual burb you effectively isolate the
VPN traffic from non-VPN traffic. Plus, you are able to configure a
unique set of rules (via proxies and ACLs) for the virtual burb that
allow you to control precisely what your VPN users can or cannot do.
Note:
The VPN implementation depicted in Figure 2-5 represents a "proxied" VPN because
proxies must be used to move VPN data between burbs. The use of proxies enables you to
control the resources that a VPN client has access to on your internal network.
Soft-PK
Internet
Protected Network
= VPN tunnel
= Data
Internet
burb
Trusted
burb
VPN
Sidewinder
Soft-PK
Internet
Protected Network
= VPN tunnel
= Data
Internet
burb
Trusted
burb
Proxies
Virtual
burb
Proxies
Sidewinder
VPN