If you want the dial-in users to access your private LAN, I'd go for the Outside with clients connecting via VPN (authenticated and encrypted). Setup Radius server in DMZ and open holes in your firewall to allow communications between the RAS and the Radius server (defaults are udp 1615/1616 or 1812/1813 depending on RAS) and the VPN tunnels to the private zone. "Road warriors" must go through two levels of authentication before reaching your private LAN. This setup also works regardless of where the roamers are connecting from, dialing in or from anywhere on the Internet.
If they only need to access services in your DMZ, then the DMZ is the proper location. Installing it in your private zone is a major breach of security rules. Regardless of where you set up your RAS, you need to enable input filters that prevent dial-in users from accessing the box itself which is protected by the firewall. George. ----- Original Message ----- From: "Laura A. Robinson" <[EMAIL PROTECTED]> To: "Robinson, Eric R." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, March 25, 2002 11:48 PM Subject: Re: RAS Server Location: Inside, Outside, or DMZ? > DMZ. > > Laura > ----- Original Message ----- > From: "Robinson, Eric R." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, March 25, 2002 3:48 PM > Subject: RAS Server Location: Inside, Outside, or DMZ? > > > > Our organization is about to deploy a dial-up RAS server. We have heard > > noises that the location of the RAS server can pose subtle issues with > > regard to security and functionality. > > > > Is there a good rule of thumb for situating the RAS server? It seems to me > > that the following would be true: > > > > 1. Inside: Easy to deploy but a security liability. > > 2. DMZ: Best position for security, but requires some one-time > > firewalls configuration. > > 3. Outside: Bad from all perspectives. > > > > However, maybe the answer is no so obvious. Hence this question. > > > > -- > > Eric Robinson > > Network Analyst > > State of Nevada DOT > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
