Where to terminate a VPN
I have just joined a new company and they are beginning a project for rolling out a VPN solution for remote users to access internal applications. I have two questions:

[1] The VPN solution is from NORTEL. I haven't found much information about the product, although they tell me it's in the top right Gartner Quad. Is there any information I could get regarding the product and its rating since it is not listed in your buyers guide?

[2] Where should the VPN terminate? There are two schools of thought. A) Network guys want to enable the VPN to terminate inside the network and allow it to only access the specific servers required. (My thoughts are that this is too big an exposure). B) Terminate the VPN in a DMS and locate the Web front end in the DMZ along with any collaborative applications required by both internal(whq)and remote users.


    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I'm sorry, but I do not rate products or give endorsements of specific products. If you need such information, please contact NORTEL about its products, or the Gartner Group about its ratings (if any).

As for where to terminate the VPN, both schools of thought have valid points. If you terminate the VPN inside your network (behind the firewall), the remote client has the same access rights as a computer that is connected directly to your network. Usually, this is what you are trying to achieve. However, you must be sure that your authentication for the remote user is adequate. Also, be careful how the VPN encryption keys are stored. For example, it is better to have the keys stored off of the remote client on a smart card or other token than on the client hard drive.

Terminating the VPN in a separate DMZ has the benefit of further limiting remote clients to a small subset of your network. However, it could introduce other problems. For instance, do those same (or other) users need to get at the resources to be put into the DMZ from a fixed client directly connected to your network? If so, they may need to have a VPN client to connect to those resources. It may very well be more trouble than it's worth.

If you can ensure that all VPN clients are properly authenticated, I would recommend terminating the VPN inside the firewall, making the remote client look as though it is connected directly inside the firewall. This will probably have the least impact on your applications.


This was first published in April 2001