Q

Where to terminate a VPN

I have just joined a new company and they are beginning a project for rolling out a VPN solution for remote users to access internal applications. I have two questions:

[1] The VPN solution is from NORTEL. I haven't found much information about the product, although they tell me it's in the top right Gartner Quad. Is there any information I could get regarding the product and its rating since it is not listed in your buyers guide?

[2] Where should the VPN terminate? There are two schools of thought. A) Network guys want to enable the VPN to terminate inside the network and allow it to only access the specific servers required. (My thoughts are that this is too big an exposure). B) Terminate the VPN in a DMS and locate the Web front end in the DMZ along with any collaborative applications required by both internal(whq)and remote users.

I'm sorry, but I do not rate products or give endorsements of specific products. If you need such information, please contact NORTEL about its products, or the Gartner Group about its ratings (if any).

As for where to terminate the VPN, both schools of thought have valid points. If you terminate the VPN inside your network (behind the firewall), the remote client has the same access rights as a computer that is connected directly to your network. Usually, this is what you are trying to achieve. However, you must be sure that your authentication for the remote user is adequate. Also, be careful how the VPN encryption keys are stored. For example, it is better to have the keys stored off of the remote client on a smart card or other token than on the client hard drive.

Terminating the VPN in a separate DMZ has the benefit of further limiting remote clients to a small subset of your network. However, it could introduce other problems. For instance, do those same (or other) users need to get at the resources to be put into the DMZ from a fixed client directly connected to your network? If so, they may need to have a VPN client to connect to those resources. It may very well be more trouble than it's worth.

If you can ensure that all VPN clients are properly authenticated, I would recommend terminating the VPN inside the firewall, making the remote client look as though it is connected directly inside the firewall. This will probably have the least impact on your applications.

This was first published in April 2001

Dig deeper on IPsec VPN Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close