RE: [fw-wiz] VPN endpoints
From: anyluser (anyluser_at_yahoo.com)
Date: 08/25/04
- Previous message: Kevin Sheldrake: "Re: [fw-wiz] VPN endpoints"
- Maybe in reply to: hermit921: "[fw-wiz] VPN endpoints"
- Next in thread: Fetch, Brandon: "RE: [fw-wiz] VPN endpoints"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: hermit921@yahoo.com Date: Wed, 25 Aug 2004 08:55:07 -0700 (PDT)
Generally speaking since you have no control over the
clients they should be treated as trusted but hostile.
Sounds like an oxymoron doesn’t it? It is!
On the one hand you have a service to provide. On the
other, when (not if) one client gets infected the VPN
connection will be an ingress for propogation within
your LAN. The name of the game becomes mitigation,
aka acceptable risk.
Your best bet (IMHO) would be to put the VPN endpoint
within your DMZ and then set up some rules that will
only allow the type of traffic that the clients need
to go from DMZ-LAN or DMZ-DMZ.
As a simplified example, if the users only need HTTP
access to an intranet, the port 80 would be the only
thing that traverses the DMZ to the server.
Everything else, NBT especially, would be denied.
In the same example you could even limit HTTP from the
VPN server to the Intranet server only, to secure
things even further.
The best thing you could do is to audit -exactly- what
the VPN users and give them exactly that and nothing
more. Every port you open between your LAN and DMZ is
another ingress point for stuff that will make you
have to come in on weekends.
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On
Behalf Of hermit921
Sent: Tuesday, August 24, 2004 12:37 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] VPN endpoints
We are planning to put a VPN endpoint at our site for
remote access. We know nothing about the remote
client computers, we just provide an authentication
mechanism for the users. The question concerns where
we put the VPN endpoint on our network.
I figure it this way: 2 VPN device interfaces, either
of which can go outside the firewall, on a DMZ, or
inside the firewall. That gives us 9 possible
arrangements, some of which are ridiculous, but fun to
consider. We came down to two configurations.
One approach is putting the internal interface on a
DMZ. The other approach is to have the VPN bypass the
firewall entirely. I am looking for advice on which
approach is better, and reasons why.
hermit921
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Kevin Sheldrake: "Re: [fw-wiz] VPN endpoints"
- Maybe in reply to: hermit921: "[fw-wiz] VPN endpoints"
- Next in thread: Fetch, Brandon: "RE: [fw-wiz] VPN endpoints"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
