Re: DMZ and VPN

Put a firewall behind the VPN local interface and only allow access to the resources you want people to have access to , through VPN.

I've even had to go as far as have seperate firewall rules for certain groups of users to give more or less access.......I've used a VPN appliance that gives out different ranges of ip addresses to different groups of people and then write firewall rules based on those ip address ranges.

Andy Bretten

                                                                                                                                       
                      Security Manager                                                                                                 
                                         cc:                                                                                     
                                               Subject:  DMZ and VPN                                                                   
                      02/17/2003 12:29                                                                                                 
                      PM                                                                                                               
                                                                                                                                       
                                                                                                                                       

I've been following the thread on FTP servers in the DMZ with interest. I'm curious as to how it applies to a server providing VPN access using Win2k Server's Routing and Remote Access.

Given that the VPN is supposed to give access to the private network to external clients (who can authenticate) how can you avoid having at least one interface on the local network? Surely the best you can do is have one interface on the private network, and the other in a DMZ (behind the firewall) - but you've still the problem if the VPN provider is compromised!

How do you solve that one?

TIA - SecMan. Received on Tue Feb 18 13:08:52 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek