I'm a bit confused by your comments. I asked where the *VPN* server should
go and you replied with your opinion about the placement of the *web*
server.
--Eric
-----Original Message-----
From: Crumrine, Gary L [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 01, 2000 5:14 AM
To: Amit Kaushal; [EMAIL PROTECTED]
Subject: RE: Where Should the VPN Server Go?
I disagree with your answers. 1 is OK, but 2 and 3 are flawed. 2) Probably
the best choice if the website has to be available from the Internet. You
get logging, you can control access by your rulesets because it is on a
different subnet altogether, and you do NOT open holes in the firewall that
you wouldn't have to open anyway.. I would recommend not placing more than
one webpage on a server though. Why? If one is hacked, they all go down,
or they are all hacked. I know IIS makes this a simple task but there are
problems. 3) Holes? Only if you have to make it available to the outside.
You put it on the inside and they have a direct conduit to the internal
network.
> -----Original Message-----
> From: Amit Kaushal [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, May 31, 2000 2:09 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Where Should the VPN Server Go?
>
>
> you are right each approach has its own pros and cons
>
> 1) this does not seem to be a logical choise. if the servers are
> compromized you have an hacker with all the user names and passwords
> on the server and a bastion host outside the wall to break into the
> wall.
>
> 2) installing in the DMZ
>
> This seems more secure, if the servers are compromised you still have
>
> additional security, but it is more complicated to impliment. Another
>
> observation is that you will be opening a hole from your DMZ to the
> internal network and vice versa.
>
> 2) On the internal
>
> This seems like the most uncomplicated way of doing it. you can
> control the security at the firewall and monitor traffic for any
> goofing around. open PPTP or whatever the client requires and this
> should work fine. remember you can keep on adding security, but at
> some point you have to ask, is it worth it?
>
>
> Amit Kaushal
> Deloitte & Touche LLP
> ebusiness technologies and security
>
>
> ______________________________ Reply Separator
> _________________________________
> Subject: Where Should the VPN Server Go?
> Author: [EMAIL PROTECTED] at Internet-USA
> Date: 5/31/2000 10:15 AM
>
>
> Greetings! This is my first post to the firewalls mailing list.
>
> I am about to install two Windows NT or Windows 2000 VPN servers for
> site-site communications and road-warrior access.
>
> What is the conventional wisdom for the placement of these servers? Should
>
> they each go:
>
> (1) Outside their respective firewalls?
>
> (2) In the DMZ at each location?
>
> (3) On the internal network at each location?
>
> Each approach seems to have its own advantages and disadvantages.
>
> --Eric
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
