Network segregation via IPsec gateways?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

I have the following network set-up:

There is a router with 1 WAN port and 2 LAN ports. I want to deploy
IPsec gatways for both LANs to enforce security, i.e. only encrypted
traffic may enter or leave the LANs through the IPsec gateways. To
further ensure that access from one LAN to the other is not possible,
I would deploy a separate IPsec gateway for each LAN. I am thinking of
deploying IPsec gateways that are physically separated from the
router, as shown in the following sketch:

              +---------------------+        +-----------+
LAN1------| IPsec gateway |--------|             |
              +---------------------+        |             |
                                               |  Router |------WAN
              +---------------------+        |             |
LAN2------| IPsec gateway |--------|             |
              +---------------------+        +-----------+

Alternatively, I could deploy the IPsec gateways in the router, saving
me from deploying 2 additional hardware boxes for the IPsec gateways
as shown in the config. above. This could be done by virtualisation of
the IPsec gateways, or by simply implementing a single IPsec gateway
in the router that serves both LAN.

However, my "feeling" is that this may be less secure in terms of
vulnerability to hackers from the WAN or the LAN side (it is a hacker
from LAN1 wanting to achieve access to LAN2) but I am not able to
justify this...

Can anyone share his/her opinion whether the 3 different configs. are
equivalent in terms of security and vulnerability to hacks???? Any
hint on how to assess this is appreciated. Thanks!

Re: Network segregation via IPsec gateways?

Update: maybe the little ASCII block is too messed up to understand...
so here is a simpler one that should make clear what set-up I mean.

LAN1<---->IPsec GW<---------------->| Router |<------>WAN
LAN2<---->IPsec GW<---------------->|

Further, in the firtst alternative solution, I of course mean to
virtualise the IPsec gateways and the Router on a single H/W.

Hope that makes the set-ups clearer...

Re: Network segregation via IPsec gateways?

Fred F. wrote:
Quoted text here. Click to load it

In theory, separating the gateways from the router is safer, since a
compromised router will not automatically result in access to the LANs.

In practice, the probability of a properly compromised router being cracked
is very small.

The choice really depends on your available resources (do you already have
the hardware or piles of money laying around?) and threat profile (are you
being specifically target? do you have data or systems that are critical?).


Re: Network segregation via IPsec gateways?

Quoted text here. Click to load it
|Router |------WAN
Quoted text here. Click to load it

Thank you for this feed-back.

Let's assume that LAN1 is a public network (like a public hotspot in
an airport etc.) and LAN2 is safety critical, i.e. I want to be 100%
(or better 1000% ;)) sure that no one from LAN1 (or from the WAN side)
can connect to a node on LAN2. Money does not matter.

In this case, I assume physically separated IPsec GW and router are
the way to go?!


Re: Network segregation via IPsec gateways?

Fred F. wrote:

Quoted text here. Click to load it

Then the important question to ask is does LAN2 need to be connected to the
outside at all? If not, then the answer is simple and involves disconnecting
all cables connecting LAN2 to the outside.

If for some *unavoidable* reason (email, facebook, web browsing aren't)
people /inside/ LAN2 need access to the outside, and maximum security is a
top priority, then put the router and the VPN gateway on separate machines,
and configure the firewalls and router in such a way that only traffic
passing through the VPN gateway can enter/leave LAN2. Any other traffic is
logged and silently dropped.


Site Timeline