RE: DMZ and VPN

["Fields, James" <James.Fields () bcbsfl com>]

I'm not sure understand the question. You mean having the same box acting as
both a DMZ FTP server and also an endpoint for VPN tunnels?  That's
seriously complicating things.  Primary rule for security:  simplify.  If
you can't figure out the implications of doing something, you probably can't
secure it.  In this particular case, if you landed VPNs on a DMZ host, you'd
have to allow that host unfettered access through the firewall OR give it an
internal nic.  Both are terrible options; in fact, at my company, NEITHER
are acceptable.

-----Original Message-----
From: Security Manager [mailto:sec_man1234 () yahoo com] 
Sent: Monday, February 17, 2003 12:30 PM
To: security-basics () securityfocus com
Subject: DMZ and VPN

I've been following the thread on FTP servers in the DMZ with interest. 
I'm curious as to how it applies to a server providing VPN access using 
Win2k Server's Routing and Remote Access.

Given that the VPN is supposed to give access to the private network to 
external clients (who can authenticate) how can you avoid having at 
least one interface on the local network? Surely the best you can do is 
have one interface on the private network, and the other in a DMZ 
(behind the firewall) - but you've still the problem if the VPN provider 
is compromised!

How do you solve that one?

TIA - SecMan.




Blue Cross Blue Shield of Florida, Inc., and its subsidiary and 
affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in 
this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.