1

Few days ago I was asking where to place the OpenVPN Access Server to provide network conectivity to LAN resources for remote users. While looking at the admin guide one of the few options is "One Network Interface on Private Network Behind the Firewall" In this configuration, it is required that the Internet Gateway be set up to forward desired TCP/UDP port traffic from the public IP to the Access Server‟s private IP address. At a minimum, one TCP port (typically port 443) needs to be forwarded. I know that ideally it should be placed in a DMZ. The firewall may need to be configured to allow traffic between the Access Server and the private network behind the firewall. But my question is, what type of security steps should I undertake to make the border router/firewall as secure a possible. I would have to configure port forwarding for port 4443 from the public facing interface to the 1918 IP assigned to that OpenVPN AC, and I know that even though NAT was never meant to provide security it somehow hides my LAN resources, but what else?

I highly appriciate any help.

cyzczy
  • 1,518
  • 5
  • 21
  • 34

1 Answers1

1

In an enterprise setting, it is always a good idea to segment the local network so that compromises in one area can't easily spread.

But a VPN solution is particularly tricky to secure since its whole purpose is to take computers outside your security boundary and let them tunnel inside. There is always going to be a risk that you need to be aware of and manage.

Ideally you would make sure that only legitimate devices and users can even get to the VPN end-point, using a non-standard port can be of some help it keeping "casual" botnets at bay. Some form of multi-factor authentication is really a must here.

Also ideally, the inner network that the VPN connects you to would also have limitations and you would certainly want further protected network segments for sensitive services such as your database servers.

For example, you might allow remote users access to some business services such as your Intranet but not others such as your Finance and HR services.

UPDATE: It is quite hard to explain the correct layout in just words. So please reference the SANS secure network design document from their reading room.

Julian Knight
  • 7,092
  • 17
  • 23
  • But basically this is accomplished by configuring port forwarding,correct? – cyzczy Jan 01 '17 at 19:58
  • 1
    PAT/NAT is how you connect through from the outside to your VPN end-point. The router should also contain a firewall or you should pass the traffic via a firewall or other security device. There should always be a firewall/security device between segments of the network. – Julian Knight Jan 01 '17 at 22:05
  • So in case there's a firewall before the router so how would the adressing look like? I'm confused... everything from outside will hit the firewalls public ip and it will then route traffic to the router? – cyzczy Jan 02 '17 at 13:13
  • 1
    If the router doesn't have a built-in firewall, you would put the firewall after it not before it. Most, of course, do have one built-in. I've added a link to a reference document from SANS that you may find helpful. – Julian Knight Jan 02 '17 at 14:44