On Wed, 2005-05-04 at 11:26 -0400, Nick Phillips wrote: > Hi all, > > > > Iâm a relative newbie to VPN, and Iâve been asked to investigate > setting up a VPN for a small office of about 50 people. The network > architecture is an external firewall (which may be replaced with a > firewall / VPN appliance, probably Astaro at this point) firewall/anything not my favorite choice. The firewall imo, shouldn't be running any services that can be attacked, simply passing packets and optioally routing. if you have a spare 4 or 5 year old machine laying around, consider throwing linux or some BSD on it and running openvpn. it's a very secure ssl based vpn product and you only need one port opened up in your firewall, no gre so no custom kernel needed. > , a DMZ containing Linux-webservers (192.168.2.x), and an internal > Linux firewall protecting the LAN (192.168.1.x), composed of Windows > XP machines, and also the file/mail servers (which will be switched to > WIndows Server as per managementâs request). > > Now my question â where is the best place for the VPN to terminate, > assuming that VPN users need access to the file servers inside the > LAN? I do the same thing and have my vpn machine on the DMZ on the off chance that it gets compromised, i don't want it on the private lan. You can then allow from your lan firewall (not sure why you need two, the outside firewall should be able to handle both the routing to the dmz and private lan and give you same security level w/one less machine to administer) to pass packets from the DMZ interface w/the ip address class you assign to your vpn users. For one more layer of security, at this point, you could allow traffic ONLY to some internal NT authenticator/ domain controller which they have to log in through and are provided network shares/resources this way. > With an external firewall / VPN appliance, as far as I understand it, > the VPN sessions would terminate inside the DMZ, with an IP of > 192.168.2.something. Providing those VPN users with access to the > fileservers inside the LAN would require punching a bunch of holes in > the internal firewall, right? This isnât something that sounds too > appealing to me. But what other solutions are there? Is it preferable > to forward the VPN connection to be terminated on the inside firewall > instead, so sessions would terminate inside the LAN with a > 192.168.1.something IP? > you're running into the main dilemma that people run into when trying to allow outsiders, even your own outsiders, onto your lan. There currently, imo, no perfect solution. Remember too that when you're allowing access to your lan from outside, your lan is only as protected as the clients machines. Once their home machines have been compromised, it's open season on your lan. > > > Could anybody with VPN experience suggest the best way to solve this? > And forgive me if Iâm screwy with some of the details of how VPN > works, Iâm still learning up on PPTP / L2TP / IPsec etc etc.... > > > > Regards, > > > > Nick Phillips > Aaron P. Martinez http://www.proficuous.com
