You can have one interface on the public network and the other interface on the DMZ. Authenticated users access must be enforced by the company firewall. But, of course, the VPN Server must be also considered a firewall itself with it own firewall capabilities.
There is another solution that most people don't like that is using one DMZ for the VPN server public interface and another DMZ for the VPN server private interface. If your firewall can't support two DMZs (either because it has no more available interfaces or due to a product limitation) you will have the possibility of colocate both DMZs on the same network segment/firewall NIC. In this case you will have to pay attention for addressing, routing and nating in order to avoid security problems. Alberto Cozer Security Outsource Manager, Future Technologies Digital Security IBM Certified AIX System Specialist Checkpoint Certified Security Expert, CCSE NG [EMAIL PROTECTED] http://www.fti.com.br Security Manager <sec_man1234@yaho To: [EMAIL PROTECTED] o.com> cc: Subject: DMZ and VPN 17/02/2003 14:29 I've been following the thread on FTP servers in the DMZ with interest. I'm curious as to how it applies to a server providing VPN access using Win2k Server's Routing and Remote Access. Given that the VPN is supposed to give access to the private network to external clients (who can authenticate) how can you avoid having at least one interface on the local network? Surely the best you can do is have one interface on the private network, and the other in a DMZ (behind the firewall) - but you've still the problem if the VPN provider is compromised! How do you solve that one? TIA - SecMan. ********************************************************* Future Technologies Seguranca Digital Esta mensagem e de responsabilidade de seu autor. Seu conteudo nao reflete necessariamente a opiniao da empresa. *********************************************************