I am trying to understand how security is set up on networks but cant seem to paint a picture in my mind of how it works. I`ll explain.... To have a RRAS server OUTSIDE your interior network means that the RRAS server is not joined to your Domain ( is this right?) sounds right!! but then where would a Firewall go if you wanted it between your RRAS server and interior network??? Does it go on the RRas server side or Interior network side or does`nt it matter????? As you can see i`m struggling. But soooo determined to understand.


  • rcooprcoop Member Posts: 183
    Normally a hardware firewall will have two (at least) network interfaces, one internal facing, and another external facing.

    So, to better summarize this, the fireware is what separates the two networks (but is connected to both). The firewall can, but doesn't need to be part of an active directory domain.

    Take Care,
    Working on MCTS:SQL Server 2005 (70-431) & Server+
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Actually the answer can vary depending on an organization's security policy, but in general you would place the RRAS server in a DMZ, between two firewalls or between a firewall a a screening router, or possibly on a third "DMZ" interface of a firewall. This DMZ is considered an "untrusted" network even though it has some protection, but since it must allow some access from the "outside", you still use a firewall with the necessary rules/ACL's configured to block as much traffic as possible while still allowing these remote connections. The internal facing firewall then is generally set up even more restricted and in your example may only allow traffic from the RRAS server for authenticating clients against an internal RADIUS server and once a client is authenticated he is allowed access to internal sources (hopefully using a VPN). That's a very general explanation, and here is a text diagram to help visualize:

    Internet --- Firewall --- DMZ (w/RRAS) --- Firewall --- Internal Network

    Other security considerations can come into play such as the aforementioned VPN, a VPN concentrator, the RRAS being "hardened" (Bastion Host concept), etc. Whether or not the RRAS is a member of the domain (applies to Windows environments) is debatable for several reasons and also depends on what firewall you use.

    I hope this post has helped!
    All things are possible, only believe.
  • billybob01billybob01 Member Posts: 504
    Wow thanks guys i feel i have a slightly clearer picture now, the security subject is so interesting but a B***h to get your head around!!!

    This forum is the best!!!!
Sign In or Register to comment.