Re: DMZ and VPN

[Chris Travers <chris () travelamericas com>]

Here is the solution I have been looking at for DMZ/VPN connections:

The real issue is that the VPN depending on how it is being used could 
have different security implications.  Here are the general guidelines I 
work with--

Separate logically your security perimeters:
     A:  If I am allowing traveling or work-from-home VPN access, that 
is handled on the main security perimeter-- i.e. a dedicated host in the 
DMZ not running other services.  Alternatively, the firewall itself 
could have a VPN interface installed that could allow PPTP or IPSec to 
be used to establish the connection (I prefer IPSec).  While the 
separate host is preferable, I generally feel that at least with IPSec, 
as long as the firewall is not offering any other network services to 
the public that require authentication (aside from secure administrative 
interfaces, such as properly secured SSH), that it is probably 
acceptible.  Your business needs may vary.
    B:  If I am allowing branch offices to connect via a VPN, this can 
be tricky, especially if there are NAT's involved.  My personal 
preference is to have dedicated computers handling GRE, L2TP, or IP/IP 
tunnels containing further IPSec tunnels which act as virtual routers 
and firewalls and handle all the traffic between  the offices.  The 
specific ports used can then be forwarded at the NAT back to the virtual 
router without affecting the IPSec headers.  The virtual routers should 
not be runnign any other services except perhaps SSH or other secure 
administrative interface.

Hope this helps,
Chris