Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
41424344454647484950
In Figure 10, the supplier and manufacturer have separate intranets that are connected to the
public Internet using Internet Service Providers (ISPs). System A on the supplier’s intranet and System
B on the manufacture’s subnet communicate with a host-to-host IPsec topology. For added security,
you can configure filtering on the manufacturer’s firewall so that it checks the traffic to and from
system A and allows only IPsec packets between system A and B to pass.
Figure 10 HP-UX IPSec Host-to-Host VPN Across the Internet
Firewall
Router
Firewall
IPSec
Public
Network
ISP ISP
Supplier’s
Intranet
A
Manufacturer’s
Intranet
B
Host-to-gateway VPN across the internet
You can also use IPsec to create a host-to-gateway VPN across the Internet, as shown in Figure 11.
The manufacturer’s IP router is an IPsec gateway, and system A establishes the IPsec session with
the manufacturer’s router.
Figure 11 HP-UX IPSec host-to-gateway VPN across the internet
Firewall
Router
Firewall
IPSec
Public
Network
ISP ISP
Supplier’s
Intranet
A
Manufacturer’s
Intranet
B
In this example, system A can easily access all systems in the manufacturer’s network; therefore
you must configure filtering on the manufacturer’s firewall to check the traffic to and from system
A and allow only IPsec packets between system A and B to pass. In addition, packets between the
router and system B are not secured.
In the host-to-gateway VPN topology, HP-UX IPSec is used on system A. The router uses an IPsec
gateway product provided by another vendor.
Application server in DMZ with back-end server
More enterprises are putting application servers in a demilitarized zone (DMZ )”—that is, outside
corporate firewalls—for business partners or public access. Because inbound connections from the
Internet are allowed to these servers, they are vulnerable to attack. In many cases, the application
servers in the DMZ are configured as application gateways, or proxy servers, that open a second
HP-UX IPSec topologies 43