This is a design question only, and not specific to a current hardware implementation - this is educational (for me) only
Say you have a small business that has Internet access. It has a router and a firewall. The firewall is multi-homed, connecting to the Internet router, the internal LAN and has an interface supporting a DMZ. You have a public facing Web server on the DMZ. You have a ERP server on the DMZ.
Now you want to provide remote access, so you are looking to install an IPSec VPN server. I am assuming the VPN server would be connected to the DMZ. Say you used Cisco AnyConnect or Palo Alto Global Connect, or even OpenVPN - would you port forward from the firewall to the VPN server on the VPN? Say the VPN server has two interfaces. Would one connect to the DMZ and the other to the internal LAN? Or would you get a separate WAN connection and use that for connecting to the VPN server?
So router → firewall → VPN Server on DMZ → where does this connect?
I’d either put the VPN server in the DMZ you already have, or make a second DMZ for it. Depends on the business requirements. Most if not all firewalls can accept client VPN connections, so there’s that option too.
If you do end up using a separate VPN server, do not dual-home it. That can bypass firewall restrictions and give an attacker easy access to your network. Keep it connected to 1 network
Both options would work fine. I’d use a VPN server behind the firewall, maybe an exclusive DMZ where you could apply rules to rectrict internal access from your VPN users to your local nets/services.
(1 arm) Put vpn in existing dmz and use private vlans
(2 arm) Put vpn external to existing dmz - this filters inbound connections towards vpn server. Create another context or vdom in firewall. Connect vpn internal interface to the new firewall vdom / context - this filters all traffic from vpn client towards internal lan. Obviously, new vdom must connect to internal lan.
What specifically do you mean by this? Like having a site-to-site VPN is a security risk? Not throwing shade btw, I just don’t see how it’s coherently different
What specifically do you mean by this? Like having a site-to-site VPN is a security risk? Not throwing shade btw, I just don’t see how it’s coherently different
Any external connection into your network is a potential security risk. VPN servers don’t always run on firewalls, this is why I said to add it to a DMZ or create a separate DMZ for it. The question was asking about remote access VPN, but site-to-site is certainly a security risk too. There have been known attacks, worms, etc that can spread across an IPSec tunnel. The site-to-site tunnel should have known endpoints and specific FW rules guarding that access, even port numbers to accesses specific services