[CentOS] [OT] VPN/DMZ best practices

Thu Aug 14 15:01:42 UTC 2008
Scott McClanahan <smcclanahan at forterrainc.com>

There is such a wealth of knowledge and personal experience on this list
that I'd like to get your opinions on our current situation.

Currently, we have a simple tri-homed firewall with the internal network
on one interface, the dmz on another, and the dirty internet on the
last.  Also, there is a spare interface on the box which is unused.  We
use CentOS and manually maintain our rule sets and routes since it's not
really that complex.

I'd like to setup a vpn connection between our office and a remote
office, as well as, allow remote users to vpn into there desktops and
map samba shares.  I would prefer to tie in the openvpn software with
our internal openldap server.  Our dmz is currently not in use at all
but will be soon, hosting our software.  Having said all of this, what
insights do you have for the following:

1.  What are your recommendations for where the vpn (openvpn on linux)
appliance should reside?  In the dmz?  Internally and configure the
firewall to allow (and nat) vpn connections?  On the unused interface in
a different dmz than our hosting software?  Somewhere else?

2.  Should I abandon the single firewall approach and instead use two
firewalls in a more traditional setup (gateway firewall -> dmz ->
internal firewall)?  If so, where should the vpn appliance go?

I'll probably have more questions based on your answers and I look
forward to the responses.  Thanks.