Problem solve Get help with specific problems with your technologies, process and projects.

Where to terminate a VPN

I have just joined a new company and they are beginning a project for rolling out a virtual private network solution...

for remote users to access internal applications. I have two questions:

[1] The VPN solution is from NORTEL. I haven't found much information about the product, although they tell me it's in the top right Gartner Quad. Is there any information I could get regarding the product and its rating since it is not listed in your buyers guide?

[2] Where should the VPN terminate? There are two schools of thought. A) Network guys want to enable the VPN to terminate inside the network and allow it to only access the specific servers required. (My thoughts are that this is too big an exposure). B) Terminate the VPN in a DMS and locate the Web front end in the DMZ along with any collaborative applications required by both internal(whq)and remote users.

I'm sorry, but I do not rate products or give endorsements of specific products. If you need such information, please contact NORTEL about its products, or the Gartner Group about its ratings (if any).

As for where to terminate the VPN, both schools of thought have valid points. If you terminate the VPN inside your network (behind the firewall), the remote client has the same access rights as a computer that is connected directly to your network. Usually, this is what you are trying to achieve. However, you must be sure that your authentication for the remote user is adequate. Also, be careful how the VPN encryption keys are stored. For example, it is better to have the keys stored off of the remote client on a smart card or other token than on the client hard drive.

Terminating the VPN in a separate DMZ has the benefit of further limiting remote clients to a small subset of your network. However, it could introduce other problems. For instance, do those same (or other) users need to get at the resources to be put into the DMZ from a fixed client directly connected to your network? If so, they may need to have a VPN client to connect to those resources. It may very well be more trouble than it's worth.

If you can ensure that all VPN clients are properly authenticated, I would recommend terminating the VPN inside the firewall, making the remote client look as though it is connected directly inside the firewall. This will probably have the least impact on your applications.

This was last published in April 2001

Dig Deeper on VPN security