Solved

DMZ or VPN

Posted on 2014-02-05
8
1,896 Views
Last Modified: 2014-02-05
Hello,
Which is the best solution  scenario  to allow traffic from the internet to specific  host? ( like DMZ)  NOT web services  or Connect   both  sites  with  Sit  or e to Site VPN  or  create  DMZ?

Appreciate  your feedback on that
pros and cons
0
Comment
Question by:renegadecy
  • 3
  • 3
  • 2
8 Comments
 
LVL 19

Expert Comment

by:strivoli
ID: 39835194
DMZ is used when you give access to a wide number of users and they are mostly anonymous/unknown users.
VPN is used when you give access to a small number of trusted and known users.
1
 

Author Comment

by:renegadecy
ID: 39835201
thank you....
I need for  information for  both scenarios
0
 
LVL 19

Expert Comment

by:strivoli
ID: 39835227
Virtual private network and DMZ (computing) are a very good source in order to start having an idea of what both are.
0
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39835862
VPN and DMZ are two separate ideas.

VPN is a secure way of connecting two LANs across an unsecured medium (most of the time internet, but VPN's can run across WAN link as well for some cases)

DMZ is network segregation of security zones. In simple terms, a DMZ is a network segment where it is imperative to control traffic flow (in or out) towards public and control traffic flow (in or out) towards internal network. Primarily a DMZ is created so as to be able to manage incoming outside traffic (from trusted client or big-bad-internet) without having the zone to be internal to the network. It should be noted that DMZ devices, since being accessed constantly from the outside, are most vulnerable to security attacks.

Imagine if you don't have a DMZ, and the server access from outside is within your internal LAN, if this device is compromised (hacked/infected/virus/worm) then it can infect the entire internal LAN since nothing is blocking it from the inside anymore. Opposite to a DMZ setup, if a DMZ server is infected, it's access to internal network is still maintained by firewall (or even be blocked totally from accessing internally).


dmz vpn
now in you scenario, VPN does not necessarily need to be allowing access to INTERNAL network. VPN can terminate cient/peer end directly to DMZ instead of the internal network.

if the server that client/peer is accessing needs to be in a secured and maintained zone, it's best to put that server in the DMZ and have the site-to-site VPN between the DMZ and the client/peer. This is a more secure design than to have the server internally and have VPN connect internally unless this is necessary.

hope this help, and let us know if you have any question.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:renegadecy
ID: 39836258
very good explanation!  this scenario will be implemented
let me   be  more  specific
According to your design the fw will be asa 5512-IPS, one interface will be the internal one another will me  the "DMZ" . the scenario that I have in my  mind is that block all traffic  from  one interface to the other meaning  block all traffic from "dmz" to internal traffic...and allow  specific traffic to specific port.....am I correct?

Are  there any other  considerations  ACL/NAT  that  I must take into account?

thank u
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39836581
the scenario that I have in my  mind is that block all traffic  from  one interface to the other meaning  block all traffic from "dmz" to internal traffic...and allow  specific traffic to specific port.....am I correct?

yes this is absolutely correct! (DMZ going inside). This is the main purpose that DMZ serves. Also you might want to consider traffic from inside-going-DMZ, i assume this is primarily for administrative purpose (RDP) since as an IT users, you might be residing on internal VLAN. but yes, basic security option will be allow some (IP and TCP/UDP port specific) and deny all (although there is already an implicit deny statement every FW interface of ASA, still it is best to put on if there is not any-primarly for logging purposes of denied packets)

Are  there any other  considerations  ACL/NAT  that  I must take into account?
ACL
consider ACL, DMZ-going-inside
conside ACL, inside-going-DMZ, for administrative, or loading uploading of data
conside ACL, DMZ-going-outside(internet), as server might need updates or other purpose, usually ports 80/443 are used by MS but doublecheck and I know windows updates can be run through proxy servers as well
consider ACL, DMZ-going-outside(VPN traffic,)

NAT
if there is no IP subnet overlapping, NAT exempt/Identity NAT rules have to be in place. Although in newer versions of ASA, NAT exempt/identity NAT is applied default if none specified
if DMZ server is reachable via public IP, meaning, static NAT associated to DMZ server
and of coarse if DMZ server is able to reach internet (DMZ-going-internet), its IP should then be NATed to outside interface

hope that covered all your inquiry, let me know if you need anything else and glad to be able to assist you
0
 

Author Comment

by:renegadecy
ID: 39837038
" Also you might want to consider traffic from inside-going-DMZ, i assume this is primarily for administrative purpose (RDP) since as an IT users, you might be residing on internal VLAN. but yes, basic security option will be allow some (IP and TCP/UDP port specific) and deny all..."

Yes I need servers  from inside to have access to specific  ports  on the DMZ this  can be done  through ACL  right?  can u give me an example  pls?

No  direct  internet   traffic on the  network....only  through  Site to Site VPN on the   DMZ   only.....shall I use  NAT exempt? in newer version I haven't seen   exempt rules
0
 
LVL 9

Expert Comment

by:ffleisma
ID: 39837215
just a simple example

allowing internal network a.a.a.a/x Remote Desktop Protocol (RDP-tcp3389) to DMZ server d.d.d.d

access-list inside_access_in permit tcp a.a.a.a x.x.x.x host d.d.d.d eq 3389
!
access-group inside_access_in in interface inside

hope this helps
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now