HP-UX IPSec Version A.03.00 Administrator's Guide
System B on the manufacture’s subnet communicate with a host-to-host IPsec topology. For
added security, you can configure filtering on the manufacturer’s firewall so that it checks the
traffic to and from system A and allows only IPsec packets between system A and B to pass.
Figure 1-14 HP-UX IPSec Host-to-Host VPN Across the Internet
Firewall
Router
Firewall
IPSec
Public
Network
ISP ISP
Supplier’s
Intranet
A
Manufacturer’s
Intranet
B
Host-to-Gateway VPN Across the Internet
You can also use IPsec to create a host-to-gateway VPN across the Internet, as shown in
Figure 1-15. The manufacturer’s IP router is an IPsec gateway, and system A establishes the IPsec
session with the manufacturer’s router.
Figure 1-15 HP-UX IPSec Host-to-Gateway VPN Across the Internet
Firewall
Router
Firewall
IPSec
Public
Network
ISP ISP
Supplier’s
Intranet
A
Manufacturer’s
Intranet
B
In this example, system A can easily access all systems in the manufacturer’s network; therefore
you must configure filtering on the manufacturer’s firewall to check the traffic to and from system
A and allow only IPsec packets between system A and B to pass. In addition, packets between
the router and system B are not secured.
In the host-to-gateway VPN topology, HP-UX IPSec is used on system A. The router uses an
IPsec gateway product provided by another vendor.
Application Server in DMZ with Back-End Server
More enterprises are putting application servers in a “demilitarized zone (DMZ )”—that is,
outside corporate firewalls—for business partners or public access. Because inbound connections
from the Internet are allowed to these servers, they are vulnerable to attack. In many cases, the
application servers in the DMZ are configured as application gateways, or proxy servers, that
open a second connection to backend servers within the internal network and forward client
requests to the backend servers.
44 HP-UX IPSec Overview