Integrating With Vpns; Detecting Intrusions On Other Points Of Entry - Source fire Sourcefire 3D System Installation Manual

Understanding Deployment
Complex Network Deployments

Integrating with VPNs

Detecting Intrusions on Other Points of Entry

Version 5.2
Virtual private networks, or VPNs, use IP tunneling techniques to provide the
security of a local network to remote users over the Internet. In general, VPN
solutions encrypt the data payload in an IP packet. The IP header is unencrypted
so that the packet can be transmitted over public networks in much the same way
as any other packet. When the packet arrives at its destination network, the
payload is decrypted and the packet is directed to the proper host.
Because network appliances cannot analyze the encrypted payload of a VPN
packet, placing managed devices outside the terminating endpoints of the VPN
connections ensures that all packet information can be accessed. The following
diagram illustrates how managed devices can be deployed in a VPN environment.
You can replace the firewall and the tap on either side of the VPN connection with
the managed device. Note that if you replace the tap with a managed device, you
lose the tap packet delivery guarantee.
Many networks include more than one access point. Instead of a single border
router that connects to the Internet, some enterprises use a combination of the
Internet, modem banks, and direct links to business partner networks. In general,
you should deploy managed devices near firewalls (either inside the firewall,
outside the firewall, or both) and on network segments that are important to the
integrity and confidentiality of your business data. The following diagram shows
Sourcefire 3D System Installation Guide
Chapter 2
51