Ssl vpn

nt259nt259 Member Posts: 5 ■□□□□□□□□□
Hi
What is the pro n con of putting the SSL VPN server in the DMZ as compare to the internal network?

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Just like any other advantage when talking about containment regarding externally-initiated traffic. If you have traffic sent from an untrusted source, it's advisable to terminate it in a DMZ so an authenticated malicious host (for example, someone who figured out the password of an employee) doesn't have direct access to the internal (and typically soft, sugar-coated, more trusted) network without having to cross another firewall boundary which allows for white-listed access control and auditing point.

    On the other hand, it introduces cost, complexity, and management overhead.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • nt259nt259 Member Posts: 5 ■□□□□□□□□□
    If terminate at DMZ, encrypted data will be clear text.. And hacker will be able to get it, correct?

    What security control can be in placed?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Anything exiting the tunnel is cleartext, sure, but an attacker who manages to find access into a DMZ is still restricted by the firewall policy allowing access into the internal network. If the client traffic exits the tunnel and directly faces into the internal network, there is no firewall (or other perimeter inspection) control to prevent the attacker from accessing resources which a firewall may have otherwise blocked.

    As an example, it's common for different users in an organization to have different VPN access policies. Someone in the Marketing department vs. an Engineering department, let's say, would be dropped into different IP pools after user authentication during initial tunnel setup. Based on the client source address range, the firewall could be configured to allow Marketing users to only access servers for that department while Engineering users access other much more sensitive resources in the internal network.

    Since VPN gateways typically have at least two interfaces, a more complicated network design is to have two DMZs. The VPN gateway's "external" inteface is in the first DMZ where firewall policies are much tighter, and the "internal" interface plugs into a slightly more trusted DMZ where some IP ranges are allowed access into internal networks. There's a lot of different ways to do this depending on organizational business risk levels.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.