I have just joined a new company and they are beginning a project for
rolling out a VPN solution for remote users to access internal applications. I have two questions:
 The VPN solution is from NORTEL. I haven't found much information about the product, although they tell me it's in the top right Gartner Quad. Is there any information I could get regarding the product and its rating since it is not listed in your buyers guide?
 Where should the VPN terminate? There are two schools of thought. A)
Network guys want to enable the VPN to terminate inside the network and
allow it to only access the specific servers required. (My thoughts are that this is too big an exposure). B) Terminate the VPN in a DMS and locate the Web front end in the DMZ along with any collaborative
applications required by both internal(whq)and remote users.
I'm sorry, but I do not rate products or give endorsements of specific
products. If you need such information, please contact NORTEL about
its products, or the Gartner Group about its ratings (if any).
As for where to terminate the VPN, both schools of thought have valid
points. If you terminate the VPN inside your network (behind the firewall), the remote client has the same access rights as a computer that is connected directly to your network. Usually, this is what you are trying to achieve. However, you must be sure that your authentication for the remote user is adequate. Also, be careful how the VPN encryption keys are stored. For example, it is better to have the keys stored off of the remote client on a smart card or other token than on the client hard drive.
Terminating the VPN in a separate DMZ has the benefit of further limiting remote clients to a small subset of your network. However, it could introduce other problems. For instance, do those same (or other) users need to get at the resources to be put into the DMZ from a fixed client directly connected to your network? If so, they may need to have a VPN client to connect to those resources. It may very well be more trouble than it's worth.
If you can ensure that all VPN clients are properly authenticated, I would recommend terminating the VPN inside the firewall, making the remote client look as though it is connected directly inside the firewall. This will probably have the least impact on your applications.
This was first published in April 2001