Determining where you will terminate your VPNs

More about virtual burbs and VPNs

Consider a VPN association that is implemented without the use of a virtual burb. Not only will VPN traffic mix with non-VPN traffic, but there is no way to enforce a different set of rules for the VPN traffic. This is because proxies and ACLs, the agents used to enforce the rules on a Sidewinder, are applied on burb basis, not to specific traffic within a burb.

Note: Do not terminate VPN connections in the Internet burb.

You can define up to nine physical and virtual burbs. For example, if you have two distinct types of VPN associations and you want to apply a different set of rules to each type, simply create two virtual burbs, then configure the required proxies and ACLs for each virtual burb.

One question that might come to mind when using a virtual burb is: "How does VPN traffic get to the virtual burb if it doesn’t have a network card?" The answer is found in the way that a VPN security association is defined on the Sidewinder. All VPN traffic originating from the Internet initially arrives in the Internet burb. A VPN security association, however, can terminate VPN traffic in any burb on the Sidewinder. By terminating the VPN in a virtual burb, the VPN traffic is automatically routed to that virtual burb within Sidewinder.

Defining a virtual burb

To create a virtual burb on the Sidewinder for terminating a VPN, do the following.

1.Select Firewall Administration -> Burb Configuration.

2.Click New and create the new virtual burb.

3.Click Apply.

4.Assign DNS to listen for the virtual burb. Enter the following command: cf dns add listen burb=burbname

where: burbname = the name you have assigned your virtual burb

5.Verify that DNS is listening on the virtual burb by typing the following command:

cf dns query

2-8

Planning Your VPN Configuration

Page 28
Image 28
Secure Computing Sidewinder Version 5.1.0.02, SafeNet manual More about virtual burbs and VPNs, Defining a virtual burb