accessing corporate intranet over VPN

[scooby]

I have an intranet site currently running in the DMZ subnet. I would like to have VPN users access the intranet site but seem to be having some problems.

Has anyone out there set this up ?

Thanks

[Xayd]

It might be because it's in the DMZ if the router you're using can't forward internal packets to it's own external IP.

Questions:

1) If you have a VPN for external users, why can't they access an internal website? That's what VPN access is for .

2) Why put the Intranet on a DMZ subnet? If it's only supposed to be accessed from the internal network putting it in a DMZ defeats that purpose. Does having it in a DMZ defeat some other problem?

Need more info.

[scooby]

Thanks Xayd.

I was guessing that was the problem. Sometimes i post without thinking something through, usually on days i'm needing some sleep I have an FTP server on the box right now which is why it's in the DMZ. I am looking to setup another box running a linux distro and running a secure file transfer.

Take it easy

[glc]

You don't need to DMZ a computer to run a FTP server on it - just forward the ports you need.

[scooby]

Isn't it advisable to run FTP, Web and E-mail servers in a DMZ? If someone hacks the FTP account couldn't they then access network resources?

[Xayd]

Not likely. Just set the FTP account permissions properly (users bound to the FTP root directory or lower, no delete access, etc.) and you'll be fine.

Actually by putting your server(s) in the DMZ you're exposing them to more external traffic than is necessary. Any running service on these machines would be accessible by anyone from outside who had the IP address to the box.

All the DMZ does is forward all unrouted packets to the machine(s) that are in the DMZ. It's less secure than the network behind your port mappings therefore for obvious reasons.

[scooby]

Thanks Xayd

Just recently started learning network security and truly enjoy the challenges. Thanks for the info on the DMZ. Good point. Any vulnerable service running in the DMZ would be accessible and crackable. Though the DMZ prevents intrusion to the corporate network those in the DMZ are at more risk than if they were inside. Double edged i guess but with proper account permissions should be adequate security.

Thanks again.

[Xayd]

Nat is effective to an extent, but you can't tinker it to the point of making things behind it secure, that's not it's purpose.

Set up your port mappings to only allow what's absolutely necessary to pass through. If you need further security beyond what nat can give you, then a separate firewall setup would be in order, the most effective solution at that point being a Unix box that can restrict access based on any number of factors, but that's another can of worms obviously .

If you want to learn a bit you might grab an old 486 and two old ISA nics and set yourself up a Unix firewall at home to play with, it doesn't take much hardware to run one for a couple of computers or less.

You'll soon see why a Unix/Linux OS is superior to windows for servers and security, it's much easier to deny access to things than it is on a windows machine, and permissions (for access that is granted after the filters you set up) have alot more configurability.

[scooby]

Thanks

I actually just downloaded an ISO for smoothwall and IPCop and like what i see. IPCop i just started playing with in the last day. One thing i like is the setting up of a vpn with hostnames. most hardware firewall vendors and smoothwall as well have you specify IPs. Pain when you don't have a static at one location.

[Xayd]

You might also give OpenBSD a try. It has some nice encryption options and a very nice, configurable packet filtering system.

And as with any of the BSD or Linux operating systems, it's free so you have nothing to lose .