Where do you put *your* VPN?
September 22, 2009 6:16 PM Subscribe
Where exactly should I place my VPN server in my network?
I have a working home network, with a Debian box running as a DNS server and firewall. I'm using it for business purposes, and will more than likely either need to access the network on the road or allow my business partner to work from home on a regular basis.
While I'm not so much concerned about how to configure the VPN server right now, what I am concerned about is where I should place the VPN server to keep everything secure. As it stands, I'm also planning on using a proxy server (legal requirement to keep browser logs, FTL), so I'll more than likely be using a DMZ in my network architecture. Should the VPN be placed in the DMZ, or does that seem overkill? If not, why? If so, what does this gain me? (I can think of a few things, but I'm not 100% sure if I'm right.)
If it helps, security is of the utmost concern - I will be doing legal work for clients involving electronically stored information, and most of my forensic boxes and analyzation tools will be on a closed internal network without access to the internet. However, I'm looking for the best way to secure things so medium-security information can still be accessed via the VPN, without having to worry.
I have a working home network, with a Debian box running as a DNS server and firewall. I'm using it for business purposes, and will more than likely either need to access the network on the road or allow my business partner to work from home on a regular basis.
While I'm not so much concerned about how to configure the VPN server right now, what I am concerned about is where I should place the VPN server to keep everything secure. As it stands, I'm also planning on using a proxy server (legal requirement to keep browser logs, FTL), so I'll more than likely be using a DMZ in my network architecture. Should the VPN be placed in the DMZ, or does that seem overkill? If not, why? If so, what does this gain me? (I can think of a few things, but I'm not 100% sure if I'm right.)
If it helps, security is of the utmost concern - I will be doing legal work for clients involving electronically stored information, and most of my forensic boxes and analyzation tools will be on a closed internal network without access to the internet. However, I'm looking for the best way to secure things so medium-security information can still be accessed via the VPN, without having to worry.
Inside the network & just forward ports through the firewall. Or integrate it with the firewall.
Are you getting an appliance or rolling your own on a server?
posted by ijoyner at 8:07 PM on September 22, 2009
Are you getting an appliance or rolling your own on a server?
posted by ijoyner at 8:07 PM on September 22, 2009
VPN servers vary, a lot, in terms of how they interact with the clients they support. Some must be reachable on public Internet ports, to function, and many will not function over forwarded port paths, or NAT devices like common SOHO firewall/routers (to prevent man-in-the-middle spoofs). If you choose one of the these as your VPN server, you'll need to place its outward interface in the public Internet address space, and you'll probably be offered an option to set its inward interface to DMZ or internal network addresses, depending on your choices for other other relevant security considerations.
You really need to pick your VPN server and client, to best decide how to configure your network for VPN access. Some commercial VPN servers also include functionality to act as the SOHO network firewall/NAT device, with the caveat that such choices also concentrate the security issues to a single point of failure.
posted by paulsc at 8:18 PM on September 22, 2009
You really need to pick your VPN server and client, to best decide how to configure your network for VPN access. Some commercial VPN servers also include functionality to act as the SOHO network firewall/NAT device, with the caveat that such choices also concentrate the security issues to a single point of failure.
posted by paulsc at 8:18 PM on September 22, 2009
Most modern firewalls (Netscreen, Checkpoint, PIX) also act as VPN servers. Since you have a Linux-based standalone firewall, set it up as your VPN server as well.
posted by Slap*Happy at 6:10 AM on September 23, 2009
posted by Slap*Happy at 6:10 AM on September 23, 2009
Response by poster: Okay - I can see the point of rolling the VPN into the firewall box, but a few more details: the Firewall box is a Pentium II. Liked reusing an older computer for this purpose because it was cheap, and I had three or four of them laying around. I'm to understand that the encryption/decryption that's going to be going on is probably going to require more horsepower than what's currently under the hood. Commercial products are right out; I'm starting this business on a shoestring, so I'm trying to keep all my costs as low as possible.
It looks like everyone's telling me that best scenario is to have a firewall box with a VPN setup rolled in, or to place it inside the network instead of in the DMZ.
posted by plaidrabbit at 7:53 AM on September 23, 2009
It looks like everyone's telling me that best scenario is to have a firewall box with a VPN setup rolled in, or to place it inside the network instead of in the DMZ.
posted by plaidrabbit at 7:53 AM on September 23, 2009
"... I'm to understand that the encryption/decryption that's going to be going on is probably going to require more horsepower than what's currently under the hood. ..."
Maybe, but maybe not. A lot depends on what else, besides VPN, the box will be doing. There's no inherent reason to put your whole load on a single box, either, (assuming you have a few public IP addresses) and there is some sense that splitting the VPN tasks to a dedicated machine, and your firewall/NAT/security policy to another, particularly if you are going to be running high traffic Web servers in a DMZ behind the firewall, might be a better strategy, if you have more than 1 public IP address available. A PII machine with 32mb of memory and a 1GB drive, running a stripped down FreeBSD implementation, is sufficient for effectively running a VPN server adequate for supporting several simultaneous PPTP clients, up to an aggregate of T1 bit rates or better.
"... Commercial products are right out; I'm starting this business on a shoestring, so I'm trying to keep all my costs as low as possible. ..."
I'll suggest, in as friendly a tone as possible, that you should really think about the cost issue, in terms of your larger business goals. Doing sensitive forensic data work for lawyers, I really doubt it is prudent for you to rely on home-rolled solutions for your security. A big advantage of commercial solutions is the very visibility they have to attack, and the large user experience with configuration. A Checkpoint VPN/firewall/NAT/security box and annual subscription is an expense that will amortize to a few dozen dollars a month, at most, and give you industry recognized border protection, and broad VPN capability. If your business can't support that, can you afford the risk of lawsuits that might result if your homebrew solutions are compromised? You'll also save many hours of ongoing work setting up and testing your homebrew solutions, and keeping them intrusion tested. (Checkpoint has some nice tools for running and reporting simulated attacks against their own products, and you can also find a number of sites that run automated security scans. Having the commercial solution, with results regularly run, and forwarded to your administrative email account, automatically, is something of a check-off item for many legal firms engaging computer services consultants, these days.)
That said, building all your VPN/NAT/firewall/security/port forwarding/DMZ on a single box, from a single public IP, is possible, and perhaps theoretically attractive from a cost standpoint, if you are trying to run all this from a residential Internet service, but you won't be successful doing this from many ISP's networks, because of filtering/traffic shaping/bandwidth limiters/and TOS controls, prohibiting running servers on residential service connections. If you sign up for business class service, you usually get a small subnet of public IP addresses to use, and most of the traffic shaping filters in the ISP network are dropped. Thus, the single purpose VPN machine becomes an attractive alternative, in conjunction with your normal firewall/NAT/router/DMZ/security machine. It's a bit easier to configure and monitor administratively, particularly if you have plans for adding Web servers, ftp servers and email in your DMZ, and a separate, sole purpose VPN box running along side all that, can afford to be pretty hostile to snoopers. If you want to get really heavy duty, with at least a separate IP interface for VPN (if not a whole machine), you can more easily isolate VPN traffic if you want to add taps, traffic logging, or honeypots, for greater protection.
posted by paulsc at 2:45 PM on September 23, 2009
Maybe, but maybe not. A lot depends on what else, besides VPN, the box will be doing. There's no inherent reason to put your whole load on a single box, either, (assuming you have a few public IP addresses) and there is some sense that splitting the VPN tasks to a dedicated machine, and your firewall/NAT/security policy to another, particularly if you are going to be running high traffic Web servers in a DMZ behind the firewall, might be a better strategy, if you have more than 1 public IP address available. A PII machine with 32mb of memory and a 1GB drive, running a stripped down FreeBSD implementation, is sufficient for effectively running a VPN server adequate for supporting several simultaneous PPTP clients, up to an aggregate of T1 bit rates or better.
"... Commercial products are right out; I'm starting this business on a shoestring, so I'm trying to keep all my costs as low as possible. ..."
I'll suggest, in as friendly a tone as possible, that you should really think about the cost issue, in terms of your larger business goals. Doing sensitive forensic data work for lawyers, I really doubt it is prudent for you to rely on home-rolled solutions for your security. A big advantage of commercial solutions is the very visibility they have to attack, and the large user experience with configuration. A Checkpoint VPN/firewall/NAT/security box and annual subscription is an expense that will amortize to a few dozen dollars a month, at most, and give you industry recognized border protection, and broad VPN capability. If your business can't support that, can you afford the risk of lawsuits that might result if your homebrew solutions are compromised? You'll also save many hours of ongoing work setting up and testing your homebrew solutions, and keeping them intrusion tested. (Checkpoint has some nice tools for running and reporting simulated attacks against their own products, and you can also find a number of sites that run automated security scans. Having the commercial solution, with results regularly run, and forwarded to your administrative email account, automatically, is something of a check-off item for many legal firms engaging computer services consultants, these days.)
That said, building all your VPN/NAT/firewall/security/port forwarding/DMZ on a single box, from a single public IP, is possible, and perhaps theoretically attractive from a cost standpoint, if you are trying to run all this from a residential Internet service, but you won't be successful doing this from many ISP's networks, because of filtering/traffic shaping/bandwidth limiters/and TOS controls, prohibiting running servers on residential service connections. If you sign up for business class service, you usually get a small subnet of public IP addresses to use, and most of the traffic shaping filters in the ISP network are dropped. Thus, the single purpose VPN machine becomes an attractive alternative, in conjunction with your normal firewall/NAT/router/DMZ/security machine. It's a bit easier to configure and monitor administratively, particularly if you have plans for adding Web servers, ftp servers and email in your DMZ, and a separate, sole purpose VPN box running along side all that, can afford to be pretty hostile to snoopers. If you want to get really heavy duty, with at least a separate IP interface for VPN (if not a whole machine), you can more easily isolate VPN traffic if you want to add taps, traffic logging, or honeypots, for greater protection.
posted by paulsc at 2:45 PM on September 23, 2009
This thread is closed to new comments.
I'd think that your best bet is to integrate your VPN and firewall functionality. That shouldn't be especially hard to do.
posted by me & my monkey at 6:47 PM on September 22, 2009