[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Getting DMZ and IPSec VPN to coexist

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Getting DMZ and IPSec VPN to coexist
From: "Michael R. Jinks" <mjinks_(_at_)_saecos_(_dot_)_com>
Date: Mon, 19 Mar 2001 17:40:28 -0600
Organization: Saecos Corporation

I run a network which currently has one OBSD box between itself and the
rest of the world.  That was quick to set up, but what we really want is
something like this:

[internet]
  |
[oBSD A]---------------------------
  |     subnet 192.168.x.x
(DMZ with maybe a proxy web server)
  |
[oBSD B]---------------------------
  |     subnet 10.x.x.x
[internal network]


Fairly commonplace setup, right?

Okay, well how would we set up IPSec such that a host on [internal
network] could participate in a VPN with machines in the Internet,
particularly given that all the machines below [oBSD A] in my diagram
will be using non-routable IP addresses, thus the IPSec gateway can't be
addressed via ISAKMP?

One solution I had in mind was to do something like this:

[internet]
   |
[oBSD A]----(DMZ, connected to oBSD-A via third NIC)
   |
[internal net]

...so, we can still have our DMZ isolated from our internal net, but
there's only one gateway between the Internet and any machines taking
advantage of IPSec.  I don't like this idea because it puts us back to a
single point of compromise before an intruder gets access to our
internal net.

So I'm hoping that there's some sort of routing trick that we can do;
for example, take an interface on the Internet side of [oBSD A], and
route it wholesale to an interface on [oBSD B], such that everybody
including [oBSD B] thinks that interface is really outside the DMZ.  Of
course that sucks too, since attacks can now be mounted directly on
[oBSD B] as though it _were_ on the outer net.  But I can't think of any
better way.  I also don't know (except in principle) how to implement
the scheme I've just described.

Next I had the bright idea of making [oBSD B] an ipsec gateway that only
does point-to-point with [oBSD A], and somehow using that rig to make
[oBSD A] the IPSec gateway for the internal net.  Ditto the "no idea how
to implement".

So I'd like to stop guessing and hear from somebody who actually does
this.  Any clues?

Thanks,
-m

-- 
Michael Jinks, IB // Technical Entity // Saecos Corporation
Opinions expressed above are my own, and not those of my employer.

Prev by Date: Re: carl@bl.echidna.id.au: release target for 2.9?
Next by Date: RTMX integration was Re: Hot-Plug (C)PCI support
Previous by thread: Re: carl@bl.echidna.id.au: release target for 2.9?
Next by thread: RTMX integration was Re: Hot-Plug (C)PCI support
Index(es):
- Date
- Thread

Visit your host, monkey.org