Where does the VPN server go?

[draziw]

Well, the VPN server SHOULD NOT sit parallel to the firewall - that gives you two hosts to worry about people attacking in order to get in to your LAN.

Ideally, you'd want the VPN server off in an isolated corner of your DMZ, on a switch. At the very least, you'd want to limit the places where authenticated VPN users could then bounce off that server and through your firewall (ie. they wouldn't hace full access to your internal LAN, but just to the stuff they might need - things that would probably require further sorts of authentication to get to, actually).

You should think of the VPN server as simply a "secure pipe" that allows your corporate information to traverse the Internet without being susceptible to real-time snooping. However, the traffic from the VPN server is still somewhat untrusted and needs to be suitably screened. Placing it inside or alongside the firewall implies that it would have unrestricted access internal to your LAN and, I'd guess, that's not what you'd want (especially considering that there's at least one port that's going to have to be pretty wide-open to the Internet).

Also, I'd give thought to backend'ing the VPN server to come through a separate port on the firewall, across a private link (so someone couldn't spoof the "semi-trusted IP" to get through your firewall without going through the VPN server).

Hope that helps...

[os1]

Let me redefine my answer. The VPN Server can sit anywhere on your network with regards to your Firewall. In front, behind, on, or in parallel. It all depends on the way your network is designed and how you would like to add the vpn server into your network. It also depends on how many Simultaneous Users you will have on the vpn server. If your dmz has multiple high traffic servers then you decide that you want 1000 ppl to connect to your vpn, you are going to cause problems with collisions or response times. If your only going to have 100 or so VPN users then the DMZ would be a good place to add your vpn server. If you dont have a DMZ and dont want your server sitting outside the firewall, then you will need to add it behind the firewall, yet you will have to open the appropriate ports on the firewall for IPSec to negotiate. Some VPN Servers have slots which you can add T1 cards and place them directly next to the core router that way you arent consuming internet, dmz traffic on your Core I-Net connection.
So again, it all depends on how your current network is layed out and where it would fit most appropriately and it would also be recommended to check with the VPN Server manufacturer to where they recommend their VPN Server on your network. Your only main concern should be that you do not want your internal network and the outside interface network on the VPN server to be on the same VLAN.
With my experience adding a Cisco VPN Concentrator parallel to the Firewall, I have never encountered a problem.

[ammo]

All taken into account, I guess the optimal setup would be to add a fourth leg to the firewall and have second DMZ for the VPN server to sit in alone...

Thanx for all the input everyone...

Ammo

[draziw]

Originally posted here by os1
Let me redefine my answer. The VPN Server can sit anywhere on your network with regards to your Firewall. In front, behind, on, or in parallel. It all depends on the way your network is designed and how you would like to add the vpn server into your network.

Yes... and I sit in any seat in a plane, too... depending if I'm flying it from the pilot's seat, assisting from the copilot's seat, or just going along for the ride. Point is, yeah, there are a few places to put it, but only a few of them are advised if I want the thing to fly. Likewise, with a VPN server, there's only a few places to put it on the network if you want your network to be secure.

Similiarly, there's a few different places for a firewall or a network based IDS box... it depends on what you want to accomplish, how things are setup and, well, how much you know (or how paranoid you are, etc).

So, for things like VPN servers and the like, people tend to get in a bit of a holy war. To me, it all comes down to "how much do you trust it" and how much risk you think is involved... if it's risky to have it inside your firewall or open up the hole for it, you can be darned sure it's going to at least be on a DMZ, preferably on its own network segment... perhaps even on its own network with a few screens and/or firewalls sitting around it (and yes, I've firewalled a SINGLE box before).

It also depends on how many Simultaneous Users you will have on the vpn server. If your dmz has multiple high traffic servers then you decide that you want 1000 ppl to connect to your vpn, you are going to cause problems with collisions or response times. If your only going to have 100 or so VPN users then the DMZ would be a good place to add your vpn server. If you dont have a DMZ and dont want your server sitting outside the firewall, then you will need to add it behind the firewall, yet you will have to open the appropriate ports on the firewall for IPSec to negotiate. Some VPN Servers have slots which you can add T1 cards and place them directly next to the core router that way you arent consuming internet, dmz traffic on your Core I-Net connection.

Ummm... this is a completely separate issue and I'll leave it at the idea that it doesn't have much to do with placement, though it might have a bit to do with how you want to segregate your network segments.

So again, it all depends on how your current network is layed out and where it would fit most appropriately and it would also be recommended to check with the VPN Server manufacturer to where they recommend their VPN Server on your network. Your only main concern should be that you do not want your internal network and the outside interface network on the VPN server to be on the same VLAN.
With my experience adding a Cisco VPN Concentrator parallel to the Firewall, I have never encountered a problem.

My experience seems to be that most VPN vendors don't have much of a clue as to placement of the server - as I've said, it tends to be a bit of a holy war, to a point.

And, if you don't want the "outside" interface to be on the same network as your internal net, then... wouldn't that be outside the firewall?

Really, I'm imagining this all as "fairly simple."

Assuming a common network topology consiting of a 3 legged firewall with internal network and DMZ, where would a vpn server be commonly placed? (VPN for remote users, not site-to-site)

To me, that says "small network with a couple hosts on the DMZ (www, ftp, ns, etc) and a firewall that segregates the Internet from both the DMZ and LAN, and the LAN and DMZ from each other." I'm not imaging some hugely complicated network with multiple VLANs, a load balanced or clustered firewall system with fully redundant links to the Internet" or anything even that simple.

So, to directly answer the question: the best and safest/most secure location for your VPN server is probably going to be on the DMZ, behind the firewall - that would be where I'd put pretty much any server that has any sort of connectivity inbound from the Internet... one of the old basics/premises of network security: "Thou shalt host no direct connections from the Internet in to the corporate LAN." (or something like that, anyhow)

[os1]

And, if you don't want the "outside" interface to be on the same network as your internal net, then... wouldn't that be outside the firewall?

Really, I'm imagining this all as "fairly simple."


-
Actually I was just stating that if he adds the VPN Server to the DMZ or anywhere for that matter, that he does not place his outside interface of the Server on the same Vlan as the inside interface of the Server.

Im sure we could have hours of arguments as to where or how the VPN Server should be installed, but then again who cares? were basically both right, just different views. Certain manufacturers have their server designed to work at different locations, and I agree on a security to the device level that the dmz is appropriate...but then again....really how secure is the dmz?
-

[draziw]

Ironically enough... the servers on my DMZ tend to be more secure than the systems on my LANs... well, I'm a lot more meticulous with hardening them and sandboxing everything, etc