Where does the VPN server go?
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Where does the VPN server go?

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027

    Where does the VPN server go?

    Assuming a common network topology consiting of a 3 legged firewall with internal network and DMZ, where would a vpn server be commonly placed? (VPN for remote users, not site-to-site)
    -ON the firewall?
    -behind firewall on the internal network?
    -behind firewall in the DMZ?

    What kind of authentication is commonly used with users?

    Could/should vpn auth be integrated with internal network's DCs (W2k pdc for example (with kerberos?))

    Thanx

    Ammo

  2. #2
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    Well, my thoughts are that the VPN server should be in the DMZ. And yes auth should be through a Domain Controller on the internal network through secured (IPSEC?)communications. Need to be careful to properly set the authentication and access controls from that server. If it gets compromised you don't want free reign of the Active Directory (assuming this is Win2k), or sensitive servers, so you have to be careful about your implementation.

    Just my 2 cents.

    Regards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    But if I set the vpn server in the dmz, won't I have to pipe a huge hole between the dmz and internal for remote access users to have access to the internal servers (which is the main purpose of having a vpn)...?

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    I'd place the VPN gateway at the firewall good fiewwalls may have their own VPN clients, but assuming a standard VPN the firewall uses information from the authentication based upon it's rules and access between the domain controller authenication access control on a secure internal connect each checking the others rules.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  5. #5
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    The best way that you are going to get it is if you IPSec tunneling between the VPN and the internal network so that it can properly route requests. If you put it on the firewall, then you'll have the same problem and one more "zone" to worry about. If you put it on the internal network you get people trying to compromise it all the time, not to mention that you are basically giving anyone a free ticket to bypassing the firewall.

    At one place, they actually used SOAP and XML to pass requests from VPN users to the internal network. There are lots of messed up ways you can do it, but the bottom line is putting the VPN in the DMZ is probably your best bet.

    REgards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    What if both PPP and IPSec are required at the firewall and contained there? Is this not the same as a DMZ placed at the firewall?
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Posts
    143
    It most certainly is. There isn't any real benefit or detriment I can think of for placing it in a DMZ vs. at the firewall. I mean when it is at the firewall it is basically its own DMZ. I'm just used to piling all the servers that touch the internet into the DMZ and controling access from the DMZ to internal network through firewall rules.

    Either way, same difference. Still going ot have to deal with secure access from authenticated VPN users to the intranet through the firewall. Depends on how ammo wants to manage them, and what his preference is.

    Palemoon: are there any particular reasons to not have it on the DMZ (I'm just curious, for my own benefit here)?

    Regards,
    Wizeman
    \"It\'s only arrogrance if you can\'t back it up, otherwise it is confidence.\" - Me

  8. #8
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Well I define my DMZ a different way I suppose matter of networks. Me my DMZ the web connects are hosted (web site, ftp) that way security is their issue there to a large extent and we pay them for that, I manage what my ISP allows (my buck the ball$ in their court). Only outside connects I have are outgoing on web browsing, and in and out email. so my DMZ to internal services are at the firewall rules. Face it most small business as in under 500 people cannot devote an IT dept of 24/7. So knowing the business I support most bang for the buck and no need usually for 24/7 unless the firewall shows some real activity. Old trick while they attempt to hack through the web site the real network is not there....oh they went that way >>---------> LOL
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  9. #9
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    simple.. behind the VPN firewall..

    NOTE: VPN networks have specific VPN firewalls that supports their encryption protocols.. and it is a standard security rule that the server SHOULD be behind the firewall..

  10. #10
    Member
    Join Date
    Jun 2002
    Posts
    44

    Re: Where does the VPN server go?

    Ammo,

    Let me give you the CORRECT answer with regards to this. If you want to have a VPN for remote users it should either sit directly ON the Firewall or exactly in parallel with the Firewall. The VPN should have an outside live ip address and in order for you to ever be able to pass through this VPN Server you must be able to authenticate through it. So say you are using a PIX firewall and a Cisco VPN Concentrator, you would have your Core Router connected to the internet, then a switch between your router, the vpn concentrator and pix firewall. both the firewall and vpn server have a live ip address. If you are going to have a high number of users authenticating to your vpn server and have a nice pocket of $$$, check out the cisco vpn concentrators, they are very simple to setup and excellent.
    http://cisco.com/warp/public/44/jump/vpn_devices.shtml
    They come with a software package which you load on the computers and acts as the vpn client.
    No reason to add the VPN Server to the DMZ. Its just causing a crap load of added traffic to your dmz causing possible collisions to important traffic going to your servers. Unless you want to over kill your dmz and go gigabit..
    You dont want to put the vpn server behind your firewall. as you said, it opens up a nice hole within your firewall.


    Regards,
    Os1LaYr5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •