Ask the Expert

What firewall controls should be placed on the VPN?

We're planning to implement a virtual private network (VPN) in our enterprise. What firewall controls should we place on the VPN?

    Requires Free Membership to View

The level of control you place on VPN traffic should be at least as strong as the level of control you place on traffic from similar users on your corporate network. If the VPN is used exclusively by employees, it's normally reasonable to terminate the VPN in the network zone that hosts employee workstations. This configuration allows you to easily place the same firewall controls on traveling employees as you would of those located in your office.

On the other hand, if the VPN is open to third parties, such as vendors or business partners, you may wish to consider placing these users in a dedicated, restrictive zone that limits their network access to the specific resources they must access to meet business requirements. This can be done by terminating the VPN connection in a firewall zone that explicitly controls the types of traffic that may cross from the VPN into your corporate network.

One solution I've seen used in many enterprises is to set up two or three different VPNs, designed for different uses. This can often be done with a single VPN appliance that provides role-based access. For example, you might set up the following groups on your VPN:

  • Employees
  • System administrators
  • Vendors
  • Site-to-site VPNs

You can then assign different network privileges to each of these roles depending upon their business requirements. For example, you might grant the system administrators the ability to create administrative connections to servers using the SSH protocol, while vendors and regular employees would be denied that access.

More information:

  • Learn how Juniper and F5 SSL VPNs can handle endpoint security.
  • One company recently found that Microsoft Vista and VPNs don't always mix.
  • This was first published in December 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: