How do I design a VPN site-to-site configuration to co-exist with a DMZ? Where should the VPN endpoint be within the DMZ, and within the internal network?
There are a couple of options regarding how to set up a site-to-site VPN endpoint in a DMZ-type architecture. Typically, you could leverage the filtering device (firewall) as the VPN endpoint, but, in this case, terminating the VPN tunnel on the firewall would allow for third-party connections to drop into the internal network with minimal filtering.
Setting up the dedicated VPN appliance in the DMZ is typically straightforward. Depending on the type of VPN the appliance will be supporting, it would only require certain protocol ports were opened to support tunnel setup and encryption. IPSEC would generally require Internet Security Association and Key Management Protocol (ISAKMP) (500/udp), Encapsulating Security Payload (ESP) (IP Protocol 50) and Authentication Header (AH) (IP Protocol 51). Once the initial tunnel configuration is in place, appropriate access lists can be set up to restrict access to specific hosts and ports on the internal network. In addition, having the VPN device on the DMZ segment would allow for a choke point ,which could host an IPS/IDS product monitoring access through the VPN tunnel and would allow for quick intervention by way of blocking ACLs in the event of suspicious traffic.
Dig Deeper on Enterprise network security
Related Q&A from Anand Sastry
Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to ... Continue Reading
IEEE 802.11 has several known vulnerabilities, so what's the best way for enterprises to handle them? Expert Anand Sastry explains. Continue Reading
As signature-based IDS becomes less effective, is host-based IDS the best option to replace it? Expert Anand Sastry weighs in. Continue Reading