Any help with VPN termination?

Wed May 4 17:38:06 UTC 2005

On Wed, 2005-05-04 at 11:26 -0400, Nick Phillips wrote:
> Hi all,
> 
>  
> 
> I’m a relative newbie to VPN, and I’ve been asked to investigate
> setting up a VPN for a small office of about 50 people. The network
> architecture is an external firewall (which may be replaced with a
> firewall / VPN appliance, probably Astaro at this point)

firewall/anything not my favorite choice.  The firewall imo, shouldn't
be running any services that can be attacked, simply passing packets and
optioally routing.

if you have a spare 4 or 5 year old machine laying around, consider
throwing linux or some BSD on it and running openvpn.  it's a very
secure ssl based vpn product and you only need one port opened up in
your firewall, no gre so no custom kernel needed.  

> , a DMZ containing Linux-webservers (192.168.2.x), and an internal
> Linux firewall protecting the LAN (192.168.1.x), composed of Windows
> XP machines, and also the file/mail servers (which will be switched to
> WIndows Server as per management’s request).
> 

> Now my question – where is the best place for the VPN to terminate,
> assuming that VPN users need access to the file servers inside the
> LAN? 

I do the same thing and have my vpn machine on the DMZ on the off chance
that it gets compromised, i don't want it on the private lan.  You can
then allow from your lan firewall  (not sure why you need two, the
outside firewall should be able to handle both the routing to the dmz
and private lan and give you same security level w/one less machine to
administer) to pass packets from the DMZ interface w/the ip address
class you assign to your vpn users.

For one more layer of security, at this point, you could allow traffic
ONLY to some internal NT authenticator/ domain controller which they
have to log in through and are provided network shares/resources this
way.

> With an external firewall / VPN appliance, as far as I understand it,
> the VPN sessions would terminate inside the DMZ, with an IP of
> 192.168.2.something. Providing those VPN users with access to the
> fileservers inside the LAN would require punching a bunch of holes in
> the internal firewall, right? This isn’t something that sounds too
> appealing to me. But what other solutions are there? Is it preferable
> to forward the VPN connection to be terminated on the inside firewall
> instead, so sessions would terminate inside the LAN with a
> 192.168.1.something IP? 
> 

you're running into the main dilemma that people run into when trying to
allow outsiders, even your own outsiders, onto your lan.  There
currently, imo, no perfect solution.  Remember too that when you're
allowing access to your lan from outside, your lan is only as protected
as the clients machines.  Once their home machines have been
compromised, it's open season on your lan.

>  
> 
> Could anybody with VPN experience suggest the best way to solve this?
> And forgive me if I’m screwy with some of the details of how VPN
> works, I’m still learning up on PPTP / L2TP / IPsec etc etc....
> 
>  
> 
> Regards,
> 
>  
> 
> Nick Phillips
> 
Aaron P. Martinez
http://www.proficuous.com