3

I'm currently looking to implement a VPN solution (based on a Checkpoint Connectra) purely to provide remote access to staff (no site-to-site, or customer access), but the one design decision I can't quite seem to reconcile in my own mind is the placement of the VPN appliance on the network.

I see that there are several options:

  • VPN Appliance in the DMZ
  • VPN Appliance on the LAN behind the firewall
  • VPN Appliance in parallel to the firewall

The Checkpoint documentation only mentions the VPN appliance on the LAN, or in the DMZ as options. Are there any overwhelming reasons for not having the VPN appliance in parallel to the firewall with a WAN router ACL directing the VPN traffic in the direction of the appliance? Or alternatively any overwhelming advantages to using one of the other two placement options?

AviD
  • 72,138
  • 22
  • 136
  • 218
Mike1980
  • 358
  • 1
  • 8

2 Answers2

1

For sure do everything you can to to disable all ways to tunnel traffic between your servers and clients. I like the design above:

http://undeadly.org/cgi?action=article&sid=20100321135641

jirib
  • 138
  • 6
0

I would recommend DMZ. Also consider if its for your super user community - access to critical servers - would strongly recommend - 2 factor Auth with the VPN service.

The reason for DMZ is that this is your protected zone if one was to penetrate a layer. Having it in the DMZ will help keep some of the common kiddie scanning down. Reality is - it can be argued several different ways. But I see it most deployed in a DMZ- sometimes segmented off on its own switch layer.

SecurityCrunch
  • 116
  • 2