Home page logo
/

basics logo Security Basics mailing list archives

Re: DMZ and VPN
From: abretten () kroger com
Date: Tue, 18 Feb 2003 12:30:29 -0500


Put a firewall behind the VPN local interface and only allow access to the
resources you want people to have access to , through VPN.

I've even had to go as far as have seperate firewall rules for certain
groups of users to give more or less access.......I've used a VPN appliance
that gives out different ranges of ip addresses to different groups of
people and then write firewall rules based on those ip address ranges.

Andy Bretten



                                                                                                                        
               
                      Security Manager                                                                                  
               
                      <sec_man1234 () yaho        To:       security-basics () securityfocus com                        
                     
                      o.com>                   cc:                                                                      
               
                                               Subject:  DMZ and VPN                                                    
               
                      02/17/2003 12:29                                                                                  
               
                      PM                                                                                                
               
                                                                                                                        
               
                                                                                                                        
               




I've been following the thread on FTP servers in the DMZ with interest.
I'm curious as to how it applies to a server providing VPN access using
Win2k Server's Routing and Remote Access.

Given that the VPN is supposed to give access to the private network to
external clients (who can authenticate) how can you avoid having at
least one interface on the local network? Surely the best you can do is
have one interface on the private network, and the other in a DMZ
(behind the firewall) - but you've still the problem if the VPN provider
is compromised!

How do you solve that one?

TIA - SecMan.









  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault