Secure Computing SafeNet manual Determining where you will terminate your VPNs

Determining where you will terminate your VPNs

Figure 2-4. VPN tunnel terminating on trusted burb

Figure 2-5. VPN tunnel terminating on a virtual burb

You can configure a VPN security association on Sidewinder to terminate in any burb. For example, Figure 2-4 shows a VPN security association terminating in the trusted burb. It allows all network traffic to flow between the hosts on the trusted network and the VPN client. Other than an external-to-external ISAKMP ACL entry, you need no special ACL entries or proxy control.

Figure 2-5 shows another option that allows you to terminate VPN traffic in a "virtual" burb. A virtual burb is a burb that does not contain a network interface card. The sole purpose of a virtual burb is to serve as a logical endpoint for a VPN association.

Terminating a VPN association in a virtual burb accomplishes two important goals:

￿Separation of VPN traffic from non-VPN traffic

￿Enforce a security policy that applies strictly to your VPN users

By terminating the VPN in a virtual burb you effectively isolate the VPN traffic from non-VPN traffic. Plus, you are able to configure a unique set of rules (via proxies and ACLs) for the virtual burb that allow you to control precisely what your VPN users can or cannot do.

Note: The VPN implementation depicted in Figure 2-5 represents a "proxied" VPN because proxies must be used to move VPN data between burbs. The use of proxies enables you to control the resources that a VPN client has access to on your internal network.