Printable View
Assuming a common network topology consiting of a 3 legged firewall with internal network and DMZ, where would a vpn server be commonly placed? (VPN for remote users, not site-to-site)
-ON the firewall?
-behind firewall on the internal network?
-behind firewall in the DMZ?
What kind of authentication is commonly used with users?
Could/should vpn auth be integrated with internal network's DCs (W2k pdc for example (with kerberos?))
Thanx
Ammo
Well, my thoughts are that the VPN server should be in the DMZ. And yes auth should be through a Domain Controller on the internal network through secured (IPSEC?)communications. Need to be careful to properly set the authentication and access controls from that server. If it gets compromised you don't want free reign of the Active Directory (assuming this is Win2k), or sensitive servers, so you have to be careful about your implementation.
Just my 2 cents.
Regards,
Wizeman
But if I set the vpn server in the dmz, won't I have to pipe a huge hole between the dmz and internal for remote access users to have access to the internal servers (which is the main purpose of having a vpn)...?
Ammo
I'd place the VPN gateway at the firewall good fiewwalls may have their own VPN clients, but assuming a standard VPN the firewall uses information from the authentication based upon it's rules and access between the domain controller authenication access control on a secure internal connect each checking the others rules.
The best way that you are going to get it is if you IPSec tunneling between the VPN and the internal network so that it can properly route requests. If you put it on the firewall, then you'll have the same problem and one more "zone" to worry about. If you put it on the internal network you get people trying to compromise it all the time, not to mention that you are basically giving anyone a free ticket to bypassing the firewall.
At one place, they actually used SOAP and XML to pass requests from VPN users to the internal network. There are lots of messed up ways you can do it, but the bottom line is putting the VPN in the DMZ is probably your best bet.
REgards,
Wizeman
What if both PPP and IPSec are required at the firewall and contained there? Is this not the same as a DMZ placed at the firewall?
It most certainly is. There isn't any real benefit or detriment I can think of for placing it in a DMZ vs. at the firewall. I mean when it is at the firewall it is basically its own DMZ. I'm just used to piling all the servers that touch the internet into the DMZ and controling access from the DMZ to internal network through firewall rules.
Either way, same difference. Still going ot have to deal with secure access from authenticated VPN users to the intranet through the firewall. Depends on how ammo wants to manage them, and what his preference is.
Palemoon: are there any particular reasons to not have it on the DMZ (I'm just curious, for my own benefit here)?
Regards,
Wizeman
Well I define my DMZ a different way I suppose matter of networks. Me my DMZ the web connects are hosted (web site, ftp) that way security is their issue there to a large extent and we pay them for that, I manage what my ISP allows (my buck the ball$ in their court). Only outside connects I have are outgoing on web browsing, and in and out email. so my DMZ to internal services are at the firewall rules. Face it most small business as in under 500 people cannot devote an IT dept of 24/7. So knowing the business I support most bang for the buck and no need usually for 24/7 unless the firewall shows some real activity. Old trick while they attempt to hack through the web site the real network is not there....oh they went that way >>---------> LOL
simple.. behind the VPN firewall.. ;)
NOTE: VPN networks have specific VPN firewalls that supports their encryption protocols.. and it is a standard security rule that the server SHOULD be behind the firewall..
Ammo,
Let me give you the CORRECT answer with regards to this. If you want to have a VPN for remote users it should either sit directly ON the Firewall or exactly in parallel with the Firewall. The VPN should have an outside live ip address and in order for you to ever be able to pass through this VPN Server you must be able to authenticate through it. So say you are using a PIX firewall and a Cisco VPN Concentrator, you would have your Core Router connected to the internet, then a switch between your router, the vpn concentrator and pix firewall. both the firewall and vpn server have a live ip address. If you are going to have a high number of users authenticating to your vpn server and have a nice pocket of $$$, check out the cisco vpn concentrators, they are very simple to setup and excellent.
http://cisco.com/warp/public/44/jump/vpn_devices.shtml
They come with a software package which you load on the computers and acts as the vpn client.
No reason to add the VPN Server to the DMZ. Its just causing a crap load of added traffic to your dmz causing possible collisions to important traffic going to your servers. Unless you want to over kill your dmz and go gigabit.. :D
You dont want to put the vpn server behind your firewall. as you said, it opens up a nice hole within your firewall.
Regards,
Well, the VPN server SHOULD NOT sit parallel to the firewall - that gives you two hosts to worry about people attacking in order to get in to your LAN.
Ideally, you'd want the VPN server off in an isolated corner of your DMZ, on a switch. At the very least, you'd want to limit the places where authenticated VPN users could then bounce off that server and through your firewall (ie. they wouldn't hace full access to your internal LAN, but just to the stuff they might need - things that would probably require further sorts of authentication to get to, actually).
You should think of the VPN server as simply a "secure pipe" that allows your corporate information to traverse the Internet without being susceptible to real-time snooping. However, the traffic from the VPN server is still somewhat untrusted and needs to be suitably screened. Placing it inside or alongside the firewall implies that it would have unrestricted access internal to your LAN and, I'd guess, that's not what you'd want (especially considering that there's at least one port that's going to have to be pretty wide-open to the Internet).
Also, I'd give thought to backend'ing the VPN server to come through a separate port on the firewall, across a private link (so someone couldn't spoof the "semi-trusted IP" to get through your firewall without going through the VPN server).
Hope that helps...
Let me redefine my answer. The VPN Server can sit anywhere on your network with regards to your Firewall. In front, behind, on, or in parallel. It all depends on the way your network is designed and how you would like to add the vpn server into your network. It also depends on how many Simultaneous Users you will have on the vpn server. If your dmz has multiple high traffic servers then you decide that you want 1000 ppl to connect to your vpn, you are going to cause problems with collisions or response times. If your only going to have 100 or so VPN users then the DMZ would be a good place to add your vpn server. If you dont have a DMZ and dont want your server sitting outside the firewall, then you will need to add it behind the firewall, yet you will have to open the appropriate ports on the firewall for IPSec to negotiate. Some VPN Servers have slots which you can add T1 cards and place them directly next to the core router that way you arent consuming internet, dmz traffic on your Core I-Net connection.
So again, it all depends on how your current network is layed out and where it would fit most appropriately and it would also be recommended to check with the VPN Server manufacturer to where they recommend their VPN Server on your network. Your only main concern should be that you do not want your internal network and the outside interface network on the VPN server to be on the same VLAN.
With my experience adding a Cisco VPN Concentrator parallel to the Firewall, I have never encountered a problem.
All taken into account, I guess the optimal setup would be to add a fourth leg to the firewall and have second DMZ for the VPN server to sit in alone...
Thanx for all the input everyone...
Ammo
Yes... and I sit in any seat in a plane, too... depending if I'm flying it from the pilot's seat, assisting from the copilot's seat, or just going along for the ride. Point is, yeah, there are a few places to put it, but only a few of them are advised if I want the thing to fly. Likewise, with a VPN server, there's only a few places to put it on the network if you want your network to be secure.Quote:
Originally posted here by os1
Let me redefine my answer. The VPN Server can sit anywhere on your network with regards to your Firewall. In front, behind, on, or in parallel. It all depends on the way your network is designed and how you would like to add the vpn server into your network.
Similiarly, there's a few different places for a firewall or a network based IDS box... it depends on what you want to accomplish, how things are setup and, well, how much you know (or how paranoid you are, etc).
So, for things like VPN servers and the like, people tend to get in a bit of a holy war. To me, it all comes down to "how much do you trust it" and how much risk you think is involved... if it's risky to have it inside your firewall or open up the hole for it, you can be darned sure it's going to at least be on a DMZ, preferably on its own network segment... perhaps even on its own network with a few screens and/or firewalls sitting around it (and yes, I've firewalled a SINGLE box before).
Ummm... this is a completely separate issue and I'll leave it at the idea that it doesn't have much to do with placement, though it might have a bit to do with how you want to segregate your network segments.Quote:
It also depends on how many Simultaneous Users you will have on the vpn server. If your dmz has multiple high traffic servers then you decide that you want 1000 ppl to connect to your vpn, you are going to cause problems with collisions or response times. If your only going to have 100 or so VPN users then the DMZ would be a good place to add your vpn server. If you dont have a DMZ and dont want your server sitting outside the firewall, then you will need to add it behind the firewall, yet you will have to open the appropriate ports on the firewall for IPSec to negotiate. Some VPN Servers have slots which you can add T1 cards and place them directly next to the core router that way you arent consuming internet, dmz traffic on your Core I-Net connection.
My experience seems to be that most VPN vendors don't have much of a clue as to placement of the server - as I've said, it tends to be a bit of a holy war, to a point.Quote:
So again, it all depends on how your current network is layed out and where it would fit most appropriately and it would also be recommended to check with the VPN Server manufacturer to where they recommend their VPN Server on your network. Your only main concern should be that you do not want your internal network and the outside interface network on the VPN server to be on the same VLAN.
With my experience adding a Cisco VPN Concentrator parallel to the Firewall, I have never encountered a problem.
And, if you don't want the "outside" interface to be on the same network as your internal net, then... wouldn't that be outside the firewall?
Really, I'm imagining this all as "fairly simple."
To me, that says "small network with a couple hosts on the DMZ (www, ftp, ns, etc) and a firewall that segregates the Internet from both the DMZ and LAN, and the LAN and DMZ from each other." I'm not imaging some hugely complicated network with multiple VLANs, a load balanced or clustered firewall system with fully redundant links to the Internet" or anything even that simple.Quote:
Assuming a common network topology consiting of a 3 legged firewall with internal network and DMZ, where would a vpn server be commonly placed? (VPN for remote users, not site-to-site)
So, to directly answer the question: the best and safest/most secure location for your VPN server is probably going to be on the DMZ, behind the firewall - that would be where I'd put pretty much any server that has any sort of connectivity inbound from the Internet... one of the old basics/premises of network security: "Thou shalt host no direct connections from the Internet in to the corporate LAN." (or something like that, anyhow)
And, if you don't want the "outside" interface to be on the same network as your internal net, then... wouldn't that be outside the firewall?
Really, I'm imagining this all as "fairly simple."
-
Actually I was just stating that if he adds the VPN Server to the DMZ or anywhere for that matter, that he does not place his outside interface of the Server on the same Vlan as the inside interface of the Server.
Im sure we could have hours of arguments as to where or how the VPN Server should be installed, but then again who cares? were basically both right, just different views. Certain manufacturers have their server designed to work at different locations, and I agree on a security to the device level that the dmz is appropriate...but then again....really how secure is the dmz?
-
Ironically enough... the servers on my DMZ tend to be more secure than the systems on my LANs... well, I'm a lot more meticulous with hardening them and sandboxing everything, etc