> -----Original Message-----
> From: Robinson, Eric [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 1 June 2000 12:39 AM
> To: '[EMAIL PROTECTED]'
> Subject: Where Should the VPN Server Go?
>
>
> Greetings! This is my first post to the firewalls mailing list.
>
> I am about to install two Windows NT or Windows 2000 VPN servers for
> site-site communications and road-warrior access.
>
> What is the conventional wisdom for the placement of these
> servers? Should
> they each go:
>
> (1) Outside their respective firewalls?
>
> (2) In the DMZ at each location?
>
> (3) On the internal network at each location?
>
> Each approach seems to have its own advantages and disadvantages.
>
> --Eric
>
>
First up - Windows NT only allows PPTP as a VPN option. Windows 2000
supports PPTP but also allows IPSec - however IPSec requires client-side
support only found native in Win2K Professional at this time (although free
IPSec clients are available). IPSec is more secure than PPTP, which is
fairly bad from a crypto point of view.
I don't know if it's "conventional wisdom" but my suggestion is:
If it's a VPN Remote Access server, stick it in or at the edge of your
internal network. RAS users will want access to everything in the internal
network anyway, so if you put this box in the DMZ you need to give it pretty
much full access to the internal network anyway. I realise this sounds dumb,
but it's analagous to the way dial-in remote access servers are used now.
You MUST bear in mind that this (like normal dial-in) is a low security
posture. You really want to think about how strong your authentication
mechanism is, because that's all that's between you and calamity. Think
about using the CA services in Win2K to provide a resonably strong
authentication method. Even better, if you're using a CA for some other
business strategy reason, think about also rolling out user certificates to
all RAS/VPN users.
If it's a site-to-site VPN, _please_ use IPSec if any sensitive traffic
traverses the link. Put the IPSec boxes at the border of the DMZ and the
internal network and make sure that you don't perform NAT at the edge router
(in other words, NAT (if you use NAT) on or before the VPN box).
Note that you may be able to perform both of these functions on the same
box.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
