Security Basics mailing list archives

Re: DMZ and VPN

From: "Alberto Cozer" <acozer () fti com br>
Date: Tue, 18 Feb 2003 14:23:33 -0300


You can have one interface on the public network and the other
interface on the DMZ. Authenticated users access must be enforced by
the company firewall. But, of course, the VPN Server must be also
considered a firewall itself with it own firewall capabilities.

There is another solution that most people don't like that is using
one DMZ for the VPN server public interface and another DMZ for the
VPN server private interface. If your firewall can't support two DMZs
(either because it has no more available interfaces or due to a
product limitation) you will have the possibility of colocate both
DMZs on the same network segment/firewall NIC. In this case you will
have to pay attention for addressing, routing and nating in order to
avoid security problems.

Alberto Cozer
Security Outsource Manager, Future Technologies Digital Security
IBM Certified AIX System Specialist
Checkpoint Certified Security Expert, CCSE NG
acozer () fti com br
http://www.fti.com.br



                                                                                                                        
               
                      Security Manager                                                                                  
               
                      <sec_man1234@yaho        To:       security-basics () securityfocus com                           
                  
                      o.com>                   cc:                                                                      
               
                                               Subject:  DMZ and VPN                                                    
               
                      17/02/2003 14:29                                                                                  
               
                                                                                                                        
               




I've been following the thread on FTP servers in the DMZ with
interest.
I'm curious as to how it applies to a server providing VPN access
using
Win2k Server's Routing and Remote Access.

Given that the VPN is supposed to give access to the private network
to
external clients (who can authenticate) how can you avoid having at
least one interface on the local network? Surely the best you can do
is
have one interface on the private network, and the other in a DMZ
(behind the firewall) - but you've still the problem if the VPN
provider
is compromised!

How do you solve that one?

TIA - SecMan.






*********************************************************
Future Technologies Seguranca Digital

Esta mensagem e de responsabilidade de seu autor.
Seu conteudo nao reflete necessariamente a opiniao da
empresa.
*********************************************************

Current thread:

DMZ and VPN Security Manager (Feb 18)
- RE: DMZ and VPN John Tolmachoff (Feb 18)
- Re: DMZ and VPN Alberto Cozer (Feb 18)
- RE: DMZ and VPN David Gillett (Feb 19)
- <Possible follow-ups>
- Re: DMZ and VPN abretten (Feb 18)
  - Re: DMZ and VPN Chris Travers (Feb 19)
- RE: DMZ and VPN Fields, James (Feb 18)