Q

What firewall controls should be placed on the VPN?

The level of control you place on VPN traffic should be at least as strong as the level of control you place on traffic from similar users on your corporate network. Network expert Mike Chapple explains which firewall controls are necessary.

We're planning to implement a virtual private network (VPN) in our enterprise. What firewall controls should we place on the VPN?
The level of control you place on VPN traffic should be at least as strong as the level of control you place on traffic from similar users on your corporate network. If the VPN is used exclusively by employees, it's normally reasonable to terminate the VPN in the network zone that hosts employee workstations. This configuration allows you to easily place the same firewall controls on traveling employees as you would of those located in your office.

On the other hand, if the VPN is open to third parties, such as vendors or business partners, you may wish to consider placing these users in a dedicated, restrictive zone that limits their network access to the specific resources they must access to meet business requirements. This can be done by terminating the VPN connection in a firewall zone that explicitly controls the types of traffic that may cross from the VPN into your corporate network.

One solution I've seen used in many enterprises is to set up two or three different VPNs, designed for different uses. This can often be done with a single VPN appliance that provides role-based access. For example, you might set up the following groups on your VPN:

  • Employees
  • System administrators
  • Vendors
  • Site-to-site VPNs

You can then assign different network privileges to each of these roles depending upon their business requirements. For example, you might grant the system administrators the ability to create administrative connections to servers using the SSH protocol, while vendors and regular employees would be denied that access.

More information:

  • Learn how Juniper and F5 SSL VPNs can handle endpoint security.
  • One company recently found that Microsoft Vista and VPNs don't always mix.
  • This was first published in December 2008

    Dig deeper on SSL and TLS VPN Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close