I have a 3-legged router/firewall setup with a DMZ subnet, a private
subnet, and the WAN. On the private subnet, I have two file servers, a
DNS/DHCP/Print server, and a DC. In the DMZ, I have a web server and a
DNS server. I do not allow any traffic from the DMZ to the internal
network and only allow DNS and HTTP traffic form the internet to the
DMZ. What is the most secure way to add an email server and VPN server
into the network. I don’t want to allow any traffic directly form the
internet to the internal network and I don’t want to allow any traffic
from the DMZ to the internal network. How do most corporate environments
with a focus on security have this setup?
Most environments I’ve seen allow the VPN traffic to a machine with an
internal network NIC (either as the only NIC or as a second NIC with the
other NIC being in the DMZ or something). That machine, then, handles the
VPN negotiations and only forwards traffic from VPN clients once they are
authenticated and assuming their traffic should go to the internal
network. Setting this up with OpenVPN is pretty easy, though sometimes
there are a lot of steps involved; the OpenVPN site has a great
walk-through/howto that covers just about everything: http://openvpn.net/index.php/open-source/documentation/howto.html
You could potentially have the VPN box entirely outside the internal
network (DMZ or whatever) but then to get the VPN traffic into the network
would require a bit of router fun, and I do not see how that would be
worth it; either the router would allow it in after you configured it to
do so, or the box itself could just plug in internally and switches could
handle the rest. Either way traffic from this box will get to the
internal network when addressed appropriately.