DMZ or ?


I work for a financial institution and am looking for a better way to secure outside/vendor access to our ATM's.  Currently we have a VPN device connected directly to the internet on the outside interface and the internal interface directly to our LAN.  I have thought of implementing a DMZ and put the VPN devices into it, but they still need internal access to the ATM's which kind of defeats the purpose of a DMZ.  We also need internal access to the ATM's for obvious reasons.  I could plug the DMZ into our firewall I suppose for internal access, which would be more secure than what we currently have, but is still not a true DMZ, in my mind.  Does anyone have any experience securing this type of configuration?

Who is Participating?
Matt VCommented:
Your original thought to put the VPN devices in the DMZ is good.  Allowing access from the DMZ into the LAN still allows you to process the connections through the firewall, both inbound from the Internet and before anything hits the LAN.  This gives you an extra layer of security over the VPN directly into the LAN.

In our environment, we have an external firewall, which houses the DMZ, and an internal firewall.  In between is the extranet, where web servers or other outside facing applications sit.  The DMZ contains the reverse proxy devices that allow access to the extranet, and then from the extranet some access is allowed to the intranet.
It is generally easier to filter traffic through a firewall than a VPN device. If you give different groups of users different groups of IP addresses when they connect, the firewall can then discriminate between the different types of user based upon their IP address given out by the VPN concentrator, and then the firewall can filter access to the network appropriately.

You definitely want to have two factor authentication in place for the VPN, or you risk being another Target.
I managed the security for a number of regional banks in Texas.  The setup you described (vendor connections terminating in a semi-trusted environment) is the security model we used.

The configurations can be a little more challenging, but it definitely improves your security.  Once they're in their own security zone, then you can limit vendor access based on source and destination IPs, and port numbers.  You can also enable and disable the access control entries, so that they can only get in when you enable access, if that's what you want.
cheesebugahAuthor Commented:
Thank you very much for your input.  I was thinking going through the firewall to the LAN from the DMZ was not a best practice, but it seems to be somewhat common.  It is definitely better than the VPN devices directly connected to the LAN.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.