VPN "Best Practices"
As an IT person, I'm often asked about setting up VPNs with existing hardware. While I'm aware of certain security risks, I'd really like to discuss with someone the pros and cons of the following setups:
assume just 2 offices. Each behind a NATed firewall with no DMZ
1. Firewalls(same model at each office) also perform VPN.
2. Internal VPN devices (Cisco VPN router, etc...)
3. ISA to ISA.
4. W2kSever to W2kServer
Basically, my main client has offices in LA and NY and is looking to connect them. They both simply have a 30-50 computers, a couple of DCs and a NATed firewall (Watchguard FireBox X700). We would like to connect the offices and consolidate the domain, and I would prefer to do it 100% the right way. I often spout out "best practices", but always like to be reminded of why they are so. Especially since the computer world changes so rapidly, and it's always good to re-verify your feelings before committing to a big project.
Don't need answers specific to my situation. Not looking for you guys to do my job or anything, just thought I might spark a general conversation about various VPN methodologies that could benefit other people too.
Thanks for all your input.
AdamDrayer
assume just 2 offices. Each behind a NATed firewall with no DMZ
1. Firewalls(same model at each office) also perform VPN.
2. Internal VPN devices (Cisco VPN router, etc...)
3. ISA to ISA.
4. W2kSever to W2kServer
Basically, my main client has offices in LA and NY and is looking to connect them. They both simply have a 30-50 computers, a couple of DCs and a NATed firewall (Watchguard FireBox X700). We would like to connect the offices and consolidate the domain, and I would prefer to do it 100% the right way. I often spout out "best practices", but always like to be reminded of why they are so. Especially since the computer world changes so rapidly, and it's always good to re-verify your feelings before committing to a big project.
Don't need answers specific to my situation. Not looking for you guys to do my job or anything, just thought I might spark a general conversation about various VPN methodologies that could benefit other people too.
Thanks for all your input.
AdamDrayer
ASKER
what makes the VPN better in the DMZ rather than behind the firewall. What makes seperate VPN devices better than using firewalls with VPN capabilities?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here are my thoughts, broken down in two parts. Let me know if I am on the right track.
J
VPN:
As far as VPN is concerned, I look at two things. Strength of Encryption and Keys, and then Path to resources.
Strength of VPN, essentially if you are comfortable with the key strength and type of authentication protocols used by a specific setup.
Path to resources, is a bigger issue. A straight connection between two routers that allow for restricted IP ranges, is most secure. You start running into issues when you have multiple clients connecting from different ranges (such as home users), and when you begin to allow NAT and tunnelling through Firewalls directly into a network, where the authentication and setups occur. Given the list of VPN setups you have, I would list them in order of preference as:
VPN Devices, in a DMZ
Firewalls or ISA (they are both firewalls)
W2kServer in a DMZ, and lastly behind a Firewall and in a network.
Connecting Domains:
Anytime you are connecting two AD structures you have a choice between a Single Domain with a Root and Sites, or Multiple Domains with Trusts. Personally I prefer to do a Headquarters scenario, where there is a Single Root and Sites at other locations. I prefer this because it allows for redundancy between locations. Here is a bunch of KB's on Sites.
Here is a whole bunch of information for you. This should get you started on creating a "London" Site for your active directory.
HOW TO: Create and Configure an Active Directory Site in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;318480&Product=win2000
How to Create a Site Link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;316812&Product=win2000
How to configure Windows 2000 Subnets:
http://support.microsoft.com/default.aspx?scid=kb;en-us;269098&Product=win2000