We’re following a great discussion on LinkedIn as to where to keep a VPN gateway – in the DMZ or on the LAN directly. Pros and cons are argued for both sides (mostly pro-DMZ) and we’d like to hear your views on this debate. The views split over admin setup issues and effective security.
Placing the gateway within the DMZ provides an extra security cushion, with significant admin work related to the firewall settings. Of interest to us was Joerg Gerschuetz’s comment:
So to allow the full LAN access to legitimate VPN users you simply have to implement a ‘allow IP-Pools LAN-IPs any’ rule in the inner firewall. And make sure that these VPN-IP-pools are blocked at the outer firewall. So security relies on your VPN authentication method and robustness, but with a multi-factor authentication these is a valid approach from my perspective.
The DMZ also gives network admins the comfort of knowing that even if an attacker get’s a hold of the gateway’s static IP, they can’t get out of the DMZ an into the LAN. There’s also the issue of PCI compliance, namely to be compliant the gateway has to be in the DMZ.
All agree that placing the gateway on the LAN directly by-passes the safety of the DMZ (IPS/IDS, two firewalls, etc), however with two-factor authentication this might be ok.
Bottom line: placing the gateway in the DMZ is the most secure option, but it comes with the headache of managing how to manipulate both firewalls. Read it for yourself and comment on VPN Haus.