[CentOS] [OT] VPN/DMZ best practices

Thu Aug 14 19:13:57 UTC 2008
Trevor Benson <tbenson at a-1networks.com>

> There is such a wealth of knowledge and personal experience on this
> list
> that I'd like to get your opinions on our current situation.
> Currently, we have a simple tri-homed firewall with the internal
> network


> 1.  What are your recommendations for where the vpn (openvpn on linux)
> appliance should reside?  In the dmz?  Internally and configure the
> firewall to allow (and nat) vpn connections?  On the unused interface
> in
> a different dmz than our hosting software?  Somewhere else?

For basics regarding your environment if Linux is your firewall gateway appliance and you have multiple internal networks behind it, then openvpn on the gateway is the simplest most effective way to connect the networks.  Ssl vpn's can be behind network gateway devices, but then depending on the type of connection between sites (site to site or road warrior) you may need to configure additional routes on the gateway or each machine to return traffic.  If its on the gateway for your networks then that box decides how to route it out properly.

> 2.  Should I abandon the single firewall approach and instead use two
> firewalls in a more traditional setup (gateway firewall -> dmz ->
> internal firewall)?  If so, where should the vpn appliance go?

We do VPN's, Firewalls, and security for quite a few collocations and companies.  Rarely is a company so security conscious that they want multiple layers of firewalls, and the complexity that can bring to the environment.  Usually those that do have the staff on hand to troubleshoot complex networks as they need to adjust things.  Not to say that this isn't done, many people do, but does your environment necessitate this level of security?  If not lets stick to the single device approach.

> I'll probably have more questions based on your answers and I look
> forward to the responses.  Thanks.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos