you are right each approach has its own pros and cons
1) this does not seem to be a logical choise. if the servers are
compromized you have an hacker with all the user names and passwords
on the server and a bastion host outside the wall to break into the
wall.
2) installing in the DMZ
This seems more secure, if the servers are compromised you still have
additional security, but it is more complicated to impliment. Another
observation is that you will be opening a hole from your DMZ to the
internal network and vice versa.
2) On the internal
This seems like the most uncomplicated way of doing it. you can
control the security at the firewall and monitor traffic for any
goofing around. open PPTP or whatever the client requires and this
should work fine. remember you can keep on adding security, but at
some point you have to ask, is it worth it?
Amit Kaushal
Deloitte & Touche LLP
ebusiness technologies and security
______________________________ Reply Separator _________________________________
Subject: Where Should the VPN Server Go?
Author: [EMAIL PROTECTED] at Internet-USA
Date: 5/31/2000 10:15 AM
Greetings! This is my first post to the firewalls mailing list.
I am about to install two Windows NT or Windows 2000 VPN servers for
site-site communications and road-warrior access.
What is the conventional wisdom for the placement of these servers? Should
they each go:
(1) Outside their respective firewalls?
(2) In the DMZ at each location?
(3) On the internal network at each location?
Each approach seems to have its own advantages and disadvantages.
--Eric
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
