Home page logo
/

basics logo Security Basics mailing list archives

Re: DMZ and VPN
From: Chris Travers <chris () travelamericas com>
Date: Tue, 18 Feb 2003 10:50:32 -0800

Here is the solution I have been looking at for DMZ/VPN connections:

The real issue is that the VPN depending on how it is being used could have different security implications. Here are the general guidelines I work with--

Separate logically your security perimeters:
A: If I am allowing traveling or work-from-home VPN access, that is handled on the main security perimeter-- i.e. a dedicated host in the DMZ not running other services. Alternatively, the firewall itself could have a VPN interface installed that could allow PPTP or IPSec to be used to establish the connection (I prefer IPSec). While the separate host is preferable, I generally feel that at least with IPSec, as long as the firewall is not offering any other network services to the public that require authentication (aside from secure administrative interfaces, such as properly secured SSH), that it is probably acceptible. Your business needs may vary. B: If I am allowing branch offices to connect via a VPN, this can be tricky, especially if there are NAT's involved. My personal preference is to have dedicated computers handling GRE, L2TP, or IP/IP tunnels containing further IPSec tunnels which act as virtual routers and firewalls and handle all the traffic between the offices. The specific ports used can then be forwarded at the NAT back to the virtual router without affecting the IPSec headers. The virtual routers should not be runnign any other services except perhaps SSH or other secure administrative interface.

Hope this helps,
Chris


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]