Here is the solution I have been looking at for DMZ/VPN connections:
The real issue is that the VPN depending on how it is being used could
have different security implications. Here are the general guidelines I
work with--
Separate logically your security perimeters:
A: If I am allowing traveling or work-from-home VPN access, that
is handled on the main security perimeter-- i.e. a dedicated host in the
DMZ not running other services. Alternatively, the firewall itself
could have a VPN interface installed that could allow PPTP or IPSec to
be used to establish the connection (I prefer IPSec). While the
separate host is preferable, I generally feel that at least with IPSec,
as long as the firewall is not offering any other network services to
the public that require authentication (aside from secure administrative
interfaces, such as properly secured SSH), that it is probably
acceptible. Your business needs may vary.
B: If I am allowing branch offices to connect via a VPN, this can
be tricky, especially if there are NAT's involved. My personal
preference is to have dedicated computers handling GRE, L2TP, or IP/IP
tunnels containing further IPSec tunnels which act as virtual routers
and firewalls and handle all the traffic between the offices. The
specific ports used can then be forwarded at the NAT back to the virtual
router without affecting the IPSec headers. The virtual routers should
not be runnign any other services except perhaps SSH or other secure
administrative interface.
Hope this helps,
Chris
- DMZ and VPN Security Manager
- RE: DMZ and VPN John Tolmachoff
- Re: DMZ and VPN Alberto Cozer
- RE: DMZ and VPN David Gillett
- Re: DMZ and VPN abretten
- RE: DMZ and VPN Chris Travers
- RE: DMZ and VPN Fields, James