In a more common configuration, the firewall is attached to the Internet, and the VPN server is an intranet resource that is attached to the Perimeter Network. The VPN server has an interface on both the perimeter network and the intranet. In this scenario, the firewall must be configured with input and output filters on its Internet interface that allow tunnel maintenance traffic and tunneled data to pass to the VPN server. Additional filters can allow traffic to pass to Web, FTP, and other types of servers on the perimeter network. For an additional layer of security, the VPN server can also be configured with PPTP or L2TP/IPSec packet filters on its perimeter network interface.
Because the firewall does not have the encryption keys for each VPN connection, it can filter only on the plaintext headers of the tunneled data. In other words, all tunneled data passes through the firewall. This is not a security concern, however, because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.
The following illustration shows the VPN server behind the firewall on the perimeter network.
No comments:
Post a Comment