Home page logo

basics logo Security Basics mailing list archives

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 18 Feb 2003 12:34:01 -0800

-----Original Message-----
From: Security Manager [mailto:sec_man1234 () yahoo com]

I've been following the thread on FTP servers in the DMZ with 
I'm curious as to how it applies to a server providing VPN 
access using 
Win2k Server's Routing and Remote Access.

Given that the VPN is supposed to give access to the private 
network to 
external clients (who can authenticate) how can you avoid having at 
least one interface on the local network? Surely the best you 
can do is 
have one interface on the private network, and the other in a DMZ 
(behind the firewall) - but you've still the problem if the 
VPN provider 
is compromised!

How do you solve that one?

  Nowhere is it written that the "private end" interface of the VPN
server must be (a) on the private network, or (b) on the same
private network as the rest of your internal LAN.

  Best practice seems to be to place the private end interface in
a DMZ, and have the firewall filter and log access between VPN clients 
and the internal network.
  The encrypted interface should also be in a DMZ, so that only VPN 
traffic can reach it.  But some firewalls don't allow for IP protocols
other than ICMP, TCP, and UDP, and if you're stuck with one of those 
then you may have to expose the encrypted interface of the VPN server
directly to the Internet.

David Gillett

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]