[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Getting DMZ and IPSec VPN to coexist
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Getting DMZ and IPSec VPN to coexist
- From: "Michael R. Jinks" <mjinks_(_at_)_saecos_(_dot_)_com>
- Date: Mon, 19 Mar 2001 17:40:28 -0600
- Organization: Saecos Corporation
I run a network which currently has one OBSD box between itself and the
rest of the world. That was quick to set up, but what we really want is
something like this:
| subnet 192.168.x.x
(DMZ with maybe a proxy web server)
| subnet 10.x.x.x
Fairly commonplace setup, right?
Okay, well how would we set up IPSec such that a host on [internal
network] could participate in a VPN with machines in the Internet,
particularly given that all the machines below [oBSD A] in my diagram
will be using non-routable IP addresses, thus the IPSec gateway can't be
addressed via ISAKMP?
One solution I had in mind was to do something like this:
[oBSD A]----(DMZ, connected to oBSD-A via third NIC)
...so, we can still have our DMZ isolated from our internal net, but
there's only one gateway between the Internet and any machines taking
advantage of IPSec. I don't like this idea because it puts us back to a
single point of compromise before an intruder gets access to our
So I'm hoping that there's some sort of routing trick that we can do;
for example, take an interface on the Internet side of [oBSD A], and
route it wholesale to an interface on [oBSD B], such that everybody
including [oBSD B] thinks that interface is really outside the DMZ. Of
course that sucks too, since attacks can now be mounted directly on
[oBSD B] as though it _were_ on the outer net. But I can't think of any
better way. I also don't know (except in principle) how to implement
the scheme I've just described.
Next I had the bright idea of making [oBSD B] an ipsec gateway that only
does point-to-point with [oBSD A], and somehow using that rig to make
[oBSD A] the IPSec gateway for the internal net. Ditto the "no idea how
So I'd like to stop guessing and hear from somebody who actually does
this. Any clues?
Michael Jinks, IB // Technical Entity // Saecos Corporation
Opinions expressed above are my own, and not those of my employer.
Visit your host, monkey.org