DMZ or ?


I work for a financial institution and am looking for a better way to secure outside/vendor access to our ATM's.  Currently we have a VPN device connected directly to the internet on the outside interface and the internal interface directly to our LAN.  I have thought of implementing a DMZ and put the VPN devices into it, but they still need internal access to the ATM's which kind of defeats the purpose of a DMZ.  We also need internal access to the ATM's for obvious reasons.  I could plug the DMZ into our firewall I suppose for internal access, which would be more secure than what we currently have, but is still not a true DMZ, in my mind.  Does anyone have any experience securing this type of configuration?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matt VCommented:
Your original thought to put the VPN devices in the DMZ is good.  Allowing access from the DMZ into the LAN still allows you to process the connections through the firewall, both inbound from the Internet and before anything hits the LAN.  This gives you an extra layer of security over the VPN directly into the LAN.

In our environment, we have an external firewall, which houses the DMZ, and an internal firewall.  In between is the extranet, where web servers or other outside facing applications sit.  The DMZ contains the reverse proxy devices that allow access to the extranet, and then from the extranet some access is allowed to the intranet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It is generally easier to filter traffic through a firewall than a VPN device. If you give different groups of users different groups of IP addresses when they connect, the firewall can then discriminate between the different types of user based upon their IP address given out by the VPN concentrator, and then the firewall can filter access to the network appropriately.

You definitely want to have two factor authentication in place for the VPN, or you risk being another Target.
I managed the security for a number of regional banks in Texas.  The setup you described (vendor connections terminating in a semi-trusted environment) is the security model we used.

The configurations can be a little more challenging, but it definitely improves your security.  Once they're in their own security zone, then you can limit vendor access based on source and destination IPs, and port numbers.  You can also enable and disable the access control entries, so that they can only get in when you enable access, if that's what you want.
cheesebugahAuthor Commented:
Thank you very much for your input.  I was thinking going through the firewall to the LAN from the DMZ was not a best practice, but it seems to be somewhat common.  It is definitely better than the VPN devices directly connected to the LAN.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.