How do I design a VPN site-to-site configuration to co-exist with a DMZ? Where should the VPN endpoint be within the DMZ, and within the internal network?
There are a couple of options regarding how to set up a site-to-site VPN endpoint in a DMZ-type architecture. Typically, you could leverage the filtering device (firewall) as the VPN endpoint, but, in this case, terminating the VPN tunnel on the firewall would allow for third-party connections to drop into the internal network with minimal filtering.
Setting up the dedicated VPN appliance in the DMZ is typically straightforward. Depending on the type of VPN the appliance will be supporting, it would only require certain protocol ports were opened to support tunnel setup and encryption. IPSEC would generally require Internet Security Association and Key Management Protocol (ISAKMP) (500/udp), Encapsulating Security Payload (ESP) (IP Protocol 50) and Authentication Header (AH) (IP Protocol 51). Once the initial tunnel configuration is in place, appropriate access lists can be set up to restrict access to specific hosts and ports on the internal network. In addition, having the VPN device on the DMZ segment would allow for a choke point ,which could host an IPS/IDS product monitoring access through the VPN tunnel and would allow for quick intervention by way of blocking ACLs in the event of suspicious traffic.
This was first published in August 2011