[Cialug] VPN server on Firewall or File Server

Claus cniesen at gmx.net
Mon Jan 23 11:57:21 CST 2006


On 1/21/2006 11:14 PM, Mark Hesseltine wrote:
> On 1/21/06, Claus Niesen <cniesen at gmx.net> wrote:
> 
>>Where do you recommend I put the VPN server? On the firewall or on the file
>>server?  My simplified network layout is:
>>
>>               WLAN
>>                 |
>>             +--------+         +----------+
>>  Internet --|Firewall|-- LAN --|FileServer|
>>             +--------+         +----------+
>>                 |
>>                DMZ
>>
>>The VNP is mainly used for Samba and Windows shares.
>>
>>Thanks,
>>  Claus
>>
> 
> 
> I think it makes the most sense to put the VPN server behind the
> firewall. You can then use the firewall as the first layer of
> protection, by only allowing certain IPs to come through to the VPN
> server. The VPN would then be a second layer of protection, by
> requiring authorization before allowing access to the LAN.
> 
> Otherwise, if the VPN is the only protection, a brute force password
> attack could compromise your LAN security.
> 
> --
> Mark Hesseltine
> mailto:markhesseltine at gmail.com

Filtering by IP can also be done when the VPN server resides on the 
firewall.  But I'm not sure if filtering by IP is practical.  For one it 
doesn't provide any additional safety to VPN ommunication from the WLAN 
and for the other it won't allow me to roam the world wide internet.  So 
I was considering certificate based authentication.

The only argument I could come up so far is spreading the load and thus 
using the file server.  Not sure if that's a big enough argument or even 
a good one.

   Claus




More information about the Cialug mailing list