PIX VPN Design Advice

[loyalist]

Hi there,

Starting to plan a new remote office and thought I would put this out there to see what others may think.

Central office currently using PIX 515E for VPN, clients authenticating via vpn group only, right now. No current site-to-site configuration.

Central office will migrate to 4th interface on PIX with dedicated dsl exclusive to VPN traffic. Plan on utilizing VPN3000 concentrator with W2K3 IAS server running Radius. Question:Would you put concentrator outside of firewall or inside firewall? Configuration examples greatly appreciated. Or should Concentrator stand on it's own and not be connected to firewall at all and still have direct access to radius server on internal network? Concentrator will have to terminate site-to-site and individual clients with radius for domain authentication. Will eventually implement authorization and accounting on radius as well.

Remote officeurchase another PIX515E, 3 interfaces. Use 3rd interface(normally dmz) for dedicated site-site vpn (no requirement for dmz at remote location), use outside interface for internet traffic. 2 dedicated dsl's, one for vpn to head office one for internet. Remote office will be part of domain and have additonal domain controller at location. Users must be able to access domain at all times and mail server, file servers located at head office. Internet traffic should default to outside interface. Will put cisco 3550 EMI switch behind firewall to do routing and cisco 2950 switch for desktop connectivity. 20-30 users in office. Configuration examples greatly appreciated.

What do you think? Is this design feasable and scalable? As this is only in the planning stages I am open to any and all suggestions for improvement or alternative designs.

Thanks in advance,

Loyalist

 

[routerman]

Hi Loyalist,

Regarding the Central office, you can put the concentrator outside the firewall,onto the dsl. Then connect the inside interface of the concentrator onto the new 4th DMZ port on the PIX. This way you can use the filtering on the PIX to control VPN access to your internal devices. Thats my preferred way.

If you put the dsl straight into the 4th port you have to allow any IPSec protocol through the PIX onto to the concentrator on your inside network, you loose all the filtering facilities provided by the PIX, you have less control over the VPN traffic.

The configuration design for th remote office is ok, my only comment is use a VPN concentrator for Client connections. The PIX is fine for site to site VPN's but configuration for many VPN clients gets a bit messy. The concentrator provides better support for individual clients.

 

[loyalist]

Routerman,

Thanks for the input. In regards to the remote office and a concentrator, my plan would be to have all clients connect to the concentrator at the head office for individual vpn connections, and strictly use the pix-to-concentrator for the site to site connection. However that does raise an interesting question, would individuals that normally work in the remote office be able connect to the head office concentrator and access the remote network? I believe they would given that the routing was correct and they had the proper credentials. The key would be giving the vpn address pool the proper routing and statics to reach the resources they need.

Your thoughts?

 

[routerman]

Yes they would so long as the correct filter rules, encryption ACL's and static routes were in place.

One common issue that does crop up in this type of application is the remote users laptop LAN card can retain its remote site address, so when the VPN connection is established the laptop may see a route to the remote network via the LAN card, not via the VPN.

Another limitation of the PIX is that traffic cannot cross an interface twice, so if the VPN terminated on the outside interface of the PIX and that interface was also the Internet path then the VPN users could not use that link for Internet access. Not an issue in what you described so far but one to remember.

 

[loyalist]

Routerman,

In my proposed design would you put the radius server outside of the firewall directly behind the concentrator or would it be better to have it on the inside network?

Loyalist

 

[routerman]

Loyalist

I'd put it on the inside network. This way you have another layer of filtering between the DMZ and the inside network, so making the server less exposed to attacks. The design guides would also advise using some form of host based intrusion detection on the radius server to alert you of problems.

 

[loyalist]

Routerman,

Sounds good, thanks!

 

[yizhar]

HI.

Here are some of my thoughts.

> Central office will migrate to 4th interface on PIX with dedicated dsl exclusive to VPN traffic
This is possible, but may envolve routing problems, because the pix can use only a single default gateway.
Another possilbe problem is bandwidth . When you write DSL what exactly do you mean? is it ADSL? What are the downlink and uplink rates?

Have you considered using private links (leased line/frame relay) instead?
Have you considered using frame relay at the main office, and ADSL at branches?

> Question:Would you put concentrator outside of firewall or inside firewall?
Good question. No single right answer to it.
You can choose between using a single or 2 interfaces of the concentrator (both options are fine).
If using single interface, put it on a dedicated pix interface.
If using 2 interfaces (gives you more control), then I think that the best option is to connect each of them to a dedicated pix interface (so better have 6 interfaces on the main pix and not 4). However this is not a must and any combination that common sense seems to allow is fine.
It is recommended that the pix will protect the VPN server, i.e. not to connect the concentrator public interface directly to the Internet.

(BTW - I haven't implemented concentrators in the field, so my notes are from theoretical study only).

> Concentrator will have to terminate site-to-site and individual clients with radius for domain authentication
If your going to authenticate to the internal W2K domain, then place the IAS server inside.
However you can also choose to implement a RADIUS server which is stand alone and not related to internal network.
I normaly prefer the second method - it requires more administration (duplicate accounts), but can be more secure (IMHO) when using different passwords for each user - one password for VPN, and a different one for W2K Active Directory networking. It can make the attackers work more dificult.

> Users must be able to access domain at all times and mail server, file servers located at head office.
Again - for better performance and reliability I would consider some kind of leased line instead of VPN.

Please try to describe more about your network and requirements (number of branch offices, number of servers and hosts, expected bandwidth usage, existing configuration, and any other related info).



Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

 

[routerman]

There is some useful information about this on cisco.com at

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html

 

[loyalist]

Thanks guys,

In regards to leased lines, find that they are prohibitively over priced and a pain to maintain, therefore SDSL is more practical, 4mbps up and downstream. Only one remote site at this time, do not expect a large amount of traffic however they will require dedicated connection to head office, therefore the site to site configuration. Will be installing domain controller at remote location to reduce wan traffice. Only 16 users at remote location. Radius server will go inside on corporate network, currently looking at a 6 interface 515E to replace current 3 interface model. Licensing alone to upgrade current 515E to unrestricted to allow 4th interface too expensive, cheaper to buy the 6 interface UR model and redeploy current pix to remote office. BTW, this remote office currently has nothing installed, will all be built from scratch.

Regarding the placement of the concentrator, I feel that routerman's suggestion would be much easier to implement however I am concerned about security in having the concentrator sit outside the firewall unprotected. Yihzar's solution to put the concentrator behind the firewall is more secure but the tradeoff would be alot more configuration and potential routing issues. I see 2 ways to implement the concentrator behind the firewall:

1-One interface concentrator configuration and essentially have the concentrator and radius sit on the corporate network(on a different subnet for vpn) allowing all ipsece traffic to pass through the pix and directly to the concentrator/radius server. Benefit-easy to configure. Negative-how secure is it? Need 2 interfaces on radius server.
2-Two interface concentrator configuration requiring 2 dedicated pix interfaces. Essentially bring the vpn traffice in through one interface and translate it out through another interface to the concentrator and radius server, which would then autheticate and allow back through to the corporate network. Benefit-very secure, isolate vpn traffic. Negative-difficult to configure, requires mulitple address translations.

Thoughts?