VPN Concentrator on the LAN or in the DMZ?
When deploying a VPN concentrator (to give staff remote access to the LAN) where do people place them? Do people put them in the DMZ or do they place them on the LAN?
I can see pros/cons for both approaches.
Putting it in the DMZ seems the most obvious at first but this then involves creating many firewall rules in order to get full functionality. Once these holes have been punched though the firewall, its hard to use the defence in depth argument.
There is also an argument that once a user has authenticated, they should be given full access to the LAN and that this can most easily be achieved by connecting the concentrator to the LAN.
Id be interesting in peoples opinions. Lets assume that we are using multi-factor authentication on the concentrator
Clarification added 4 months ago:
Lots of great feedback, thansk for that. Most people are saying DMZ as it puts an extra layer of defence. The point I just wanted to make is that for the most part, the DMZ firewall will just have a rule that says "let all authenticated VPN users through" so I dont quite see the logic behind that
Answers (14)
IMHO a remote access device should never ever be placed directly into the corporate intranet. It would allow the complete evil internet ro route at least the desired VPN traffic !_directly_! into your LAN.
Placing the VPN gateway in the DMZ doesn´t necessarily mean that you have to implement 100+ rules in your firewall. Normally you have a well defined IP address pool on the gateway. So to allow the full LAN access to legitimate VPN users you simply have to implement a "allow IP-Pools LAN-IPs any" rule in the inner firewall. And make sure that these VPN-IP-pools are blocked at the outer firewall.
So security relies on your VPN authentication method and robustness, but with a multi-factor authentication these is a valid approach from my perspective.
As authentication on the VPN gateways is so security critical: In our environment(s) we normally implement an additional high-secured network segment where we locate the authentication system (e.g. RADIUS) so that these can not be compromised neither from the LAN nor the internet.
Just my 2 cents ;)
Joerg
I dont see any problem if you put VPN in LAN Assuming You are goin to use it along with 2FA.
Threat : intruder can get into your LAN.
Chances : minimal ( i can not use 0%).
Justification :- The only way to come in via VPN authentication. and you are going to authenticate your user via Multifactor. which is almost impossible to break. (password + passcode on token).
no harm in putting VPN in LAN.
Anurag
Matt P
Sr. Security Engineer at Hughes Network Systems
Best Answers in: Information Security (2), Enterprise Software (1)
Hi Adrian
I would strongly suggest the DMZ approach as well and to a large extent concur with what Joerg has previously said. You still have some options however. If you go the DMZ route, e.g., carving out a remote access subnet is relatively straight forward, and you can then do as Joerg mentioned and allocate an IP Pool for remote users. At that point, you can filter access by the source IP addresses and/or pool on the inside firewall. The levels of granularity are up to you and few firewall rules would be necessary as Joerg eluded to. Two factor authentication is always a good idea for access as you mentioned as well as perhaps implementing at least some sort of endpoint security mechanism within your VPN concentrator if possible so that non-hardened and/or non-patched clients don’t crush your Corporate LAN. I do not know what other precautions you may already be leveraging, e.g., if you have an IPS/IDS alerting you to at least some measure of malicious traffic. Among several reasons, that is why I may dissuade you from connecting directly to your Corporate LAN. It has been my experience that your client request pool with grow once a Corp level VPN has been implemented, both in terms of people and devices, e.g., mobile (BlackBerry, Win Mobile, etc). Granted I do not know the scale of your network but with at least some of the aforementioned things in place and the fact that you are asking good questions, you will be approaching defense in depth in the best manner possible. All of the things mentioned are totally doable and there exist both strong commercially available tools and a good many open-source solutions exist too as your budget may be a limiting factor. I hope that helps at least to some small extent.
Dave D
Experienced network administrator and infrastructure engineer
Best Answers in: Computer Networking (1)
DMZ would be my preference. You do need to add firewall rules but you can allow only traffic with that host (and still deny all from outside to internal network). Also, if your authentication system (RADIUS, LDAP) is on your internal network, you would need an allow rule for the authentication traffic.
Wouldn't you need firewall rules if you had the concentrator on your internal network?
I sugest in a dedicated DMZ. It allows you to control your traffic crossing the firewall.
If you have a problem, you can setup new firewall rules.
Here are my thoughts on this one:
- I wouldn't place anything in the LAN that is directly exposed (publishing services) to the Internet. VPN concentrators belong into a DMZ, whenever possible even a DMZ dedicated for remote access purposes. (Think about the possibilities when the VPN concentrator gets compromised by an Internet user, or by a hacker who managed to break into a webserver placed in the same DMZ)
- Additionally no administration access to the exposed device (in this case the VPN concentrator) should be allowed from outside the trusted network or a dedicated administration/console network separated from all other networks.
- If the VPN authentication mechanism needs to exchange data with the corporate Directory inside the LAN (like an LDAP server), I'd recommend to do that over SSL.
- If no full LAN network access is needed but only certain applications, I would go for a SSL VPN solution, that way the holes you need to punch into the firewall can be very granular (e.g. webmailtraffic: https from VPN IP Pool to the webmail server, etc...) as full network access implies the need for a very big hole from the VPN IP Pool to the LAN
Chris K
Security Audit Manager at PM Systems Corporation
Best Answers in: Career Management (1), Information Security (1)
Without question in the DMZ. NEVER place a device on your internal network that allows for the circumvention of your FW(s). Even if MFA is in place, the threat of what's on the "trusted" system is still enough to warrant that additional level of inspection. In an audit I will always rate that as a negative finding regardless of the other security controls in place.
Daniel H
holzman-tweedATwinterdreamDOTorg: Seasoned Risk management and information security expert / CISSP / NSA IEM / QSA
Best Answers in: Personnel Policies (1)
I think it's worth the extra administrative overhead to put the device in the DMZ. If the shop has to be PCI compliant, putting it on the LAN directly is out of the question.
I agree with the majority. I've argued the same point about Blackberry (BES server). Anything with a forward facing interface should be placed in the DMZ. That's the purpose of the DMZ to isolate these forward facing servers/services. It's one more hoop for an attacker to break through and maybe even give you enough to catch and stop them before they make it to the LAN.
I would say in the ISL (internet services layer) One interface facing the Internet,(connected via its own FW and IPS enabled router), one interface connected to the Main corp Firewall with IPS enabled.
Be aware that these day a layer 7 FW as core firewall is a must.
This is the most secured way of VPN implementation is to place the VPN Concentrator in DMZ.
With VPN concentrator in DMZ you can be sure that any user who has got connected to the VPN atleast goes through one more level of Security Filtering compared to VPN Concentrator inside the internal LAN Segment.
With VPN Concentrator inside the internal LAN segment your entire LAN becomes vulnerable for attack.
Secondly with VPN concentrator in DMZ even if attacker manages to get the Static IP of the VPN Concentrator his attack perimeter is only be the DMZ zone and no way he will have intelligence about the internal LAN.
And last by implementing 2 factor authentication you are only protecting yourself against social engineering attacks. You should actually consider implementing Security Enforcement/NAC at the VPN Concentrator(for example check if every user who is connecting to the network is having patched machine, updated antivirus etc.)
Gregg G
Currently on Long Term Medical Leave
Best Answers in: Computer Networking (5), Information Security (2), Software Development (1)
I put mine on the VLAN added security by group restrictions. After all if I can do my work through the VPN what good dose it do the company? Switch to SSL and web application, place a web server farm and put an internal fire wall in front of the apps and database servers. It's not security if no one can get in!
Jimi T
Manager of Web Operations at SMU and Owner, Magna Turris Consulting Services
The reason for putting in the DMZ is so that you don't have to allow people onto your internal network to authenticate. Keep in mind that they come in as John Q. Internet and not User Suzy.
Jeff T
Jeff Theunissen at Consultant
Best Answers in: Computer Networking (5), Computers and Software (2)
I would suggest DMZ even if you do put in an ANY ANY rule. The reason for this is say you want to restrict something later on you can. You can also place monitoring on this connection to see what is going across this connection. This way you are not blocking but can be informed if suspicious behaviour occurs. Also if you have some form of issue you can check the logs to see what connections have been happening through the VPN's. If you place the device on the LAN not only will that allow your Internet connection into your network which is not optimal network policy but you will not have any layer of monitoring or logging from the device into your network other than from the VPN Concentrator.
