Re: DMZ and VPN

From: Chris Travers (chris@travelamericas.com)
Date: 02/18/03

  • Next message: Hudak, Tyler: "RE: TCP Syn Flooding" 
    Date: Tue, 18 Feb 2003 10:50:32 -0800
From: Chris Travers <chris@travelamericas.com>
To: abretten@kroger.com

    Here is the solution I have been looking at for DMZ/VPN connections:

    The real issue is that the VPN depending on how it is being used could
    have different security implications. Here are the general guidelines I
    work with--

     Separate logically your security perimeters:
          A: If I am allowing traveling or work-from-home VPN access, that
    is handled on the main security perimeter-- i.e. a dedicated host in the
    DMZ not running other services. Alternatively, the firewall itself
    could have a VPN interface installed that could allow PPTP or IPSec to
    be used to establish the connection (I prefer IPSec). While the
    separate host is preferable, I generally feel that at least with IPSec,
    as long as the firewall is not offering any other network services to
    the public that require authentication (aside from secure administrative
    interfaces, such as properly secured SSH), that it is probably
    acceptible. Your business needs may vary.
         B: If I am allowing branch offices to connect via a VPN, this can
    be tricky, especially if there are NAT's involved. My personal
    preference is to have dedicated computers handling GRE, L2TP, or IP/IP
    tunnels containing further IPSec tunnels which act as virtual routers
    and firewalls and handle all the traffic between the offices. The
    specific ports used can then be forwarded at the NAT back to the virtual
    router without affecting the IPSec headers. The virtual routers should
    not be runnign any other services except perhaps SSH or other secure
    administrative interface.

    Hope this helps,
    Chris

    • Quantcast