Should tunnels be connected from an ISP to an internal data center?
I have two secured data centers on the Internet. Each has routers and firewalls to limit access. I need to pass programs and data from the internal data center to the ISP data center through a secure tunnel. The internal data center is perceived to be more secure and hosts more sensitive information. Is it more secure to initiate tunnel connections from the ISP to the internal data center, or vice versa? Or does the connection direction matter?
Generally speaking, I recommend initiating connections from a higher security environment to a lower security environment. In either case, you'll get the confidentiality protection afforded by the secure tunnel, but you gain a slight advantage of reduced complexity by connecting to the less secure environment from the more secure one.
You'll need to create a firewall rule allowing inbound access on the firewall protecting the destination environment. You should definitely create a point-to-point rule that limits inbound access to the source IP address of the other tunnel endpoint; regardless, this rule still allows some extra degree of inbound access. When you have the choice of adding complexity to a less sensitive or more sensitive environment, you should opt to add it to the less sensitive environment.
Remember that complexity is the enemy of security: it makes verification of security controls more difficult and increases the likelihood of a configuration error. Adding the inbound rule to the less secure environment increases the complexity of that environment rather than the more secure one.
More information:Learn more about how multiple firewall rules should be managed.
A reader asks security management expert Mike Rothman, "What is the difference between a SAS 70 data center vs. a Tier III data center?"
This was first published in October 2008