Chapter 12 - DMZ-Based VPN Services

Abstract

Virtual private networks (VPNs) have quickly come to supplant traditional WAN technologies such as Frame Relay, leased lines, and dialup networks. They reduce the total cost of ownership of the WAN by eliminating recurring costs associated with those technologies and utilizing the underlying and nascent IP technology a company has deployed. The key to VPN utilization in a DMZ focuses on the deployment of the VPN in the demilitarized zone (DMZ) itself. There are three primary methods of terminating VPN tunnels in a DMZ: at the edge router, at the firewall, and at a dedicated appliance. Each method has its advantages and disadvantages. Terminating the VPN at the edge router allows traffic to reach servers outside the firewall and possibly inside the firewall, depending on the configured policy, but this solution can eat up resources on a device that is usually designed to pass packets as quickly as possible. Terminating a VPN tunnel at the firewall, however, allows direct access to the internal or DMZ network but could actually lower the security posture of the internal network if not configured well and can use up resources on the firewall, which could slow down processing of all traffic leaving your network. The last option is using a dedicated VPN appliance, which could require some extra attention to make sure it is implemented in a secure fashion; this is an additional expense when most companies already have edge routers and firewalls, but it allows for larger VPN infrastructures to be built without placing a burden on other devices in the network.