VPNs and Firewalls
A firewall employs packet filtering to allow or disallow the flow of very specific types of network traffic. IP packet filtering provides a way for you to define precisely what IP traffic is allowed to cross the firewall. IP packet filtering is important when you connect private intranets to public networks like the Internet.
VPN Server and Firewall Configurations
There are two approaches to using a firewall with a VPN server:
The VPN server is attached to the Internet and the firewall is between the VPN server and the intranet.
The firewall is attached to the Internet and the VPN server is between the firewall and the intranet.
VPN Server in Front of the Firewall
With the VPN server in front of the firewall attached to the Internet, as shown in Figure 9.17, you need to add packet filters to the Internet interface that only allow VPN traffic to and from the IP address of the VPN server's interface on the Internet.
For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall, which employs its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet resources.
Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.
Figure 9.17 VPN Server on the Internet in Front of the Firewall
For the Internet interface on the VPN server, configure the following input and output filters using the Routing and Remote Access snap-in.
Packet Filters for PPTP
Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below :
Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP destination port of 1723 (0x06BB).
This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47 (0x2F).
This filter allows PPTP tunneled data from the PPTP client to the PPTP server.Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] source port of 1723 (0x06BB).
This filter is required only if the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. When you select TCP [established] , traffic is accepted only if the VPN server initiated the TCP connection.
Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below :
Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP source port of 1723 (0x06BB).
This filter allows PPTP tunnel maintenance traffic from the VPN server to the VPN client.Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and IP Protocol ID of 47 (0x2F).
This filter allows PPTP tunneled data from the VPN server to the VPN client.Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and TCP [established] destination port of 1723 (0x06BB).
This filter is required only if the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. When you select TCP [established] , traffic is sent only if the VPN server initiated the TCP connection.
Packet Filters for L2TP over IPSec
Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below :
Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 500 (0x01F4).
This filter allows Internet Key Exchange (IKE) traffic to the VPN server.Destination IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP destination port of 1701 (0x6A5).
This filter allows L2TP traffic from the VPN client to the VPN server.
Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below :
Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 500 (0x01F4).
This filter allows IKE traffic from the VPN server.Source IP address of the VPN server's Internet interface, subnet mask of 255.255.255.255, and UDP source port of 1701 (0x6A5).
This filter allows L2TP traffic from the VPN server to the VPN client.
There are no filters required for IPSec ESP traffic for the IP protocol of 50. The Routing and Remote Access service filters are applied after the IPSec module of TCP/IP removes the ESP header.
VPN Server Behind the Firewall
In a more common configuration, illustrated in Figure 9.18, the firewall is connected to the Internet and the VPN server is another intranet resource connected to a demilitarized zone (DMZ). The DMZ is an IP network segment that typically contains resources available to Internet users such as Web servers and FTP servers. The VPN server has an interface on the DMZ and an interface on the intranet.
In this approach, the firewall must be configured with input and output filters on its Internet interface to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the DMZ.
Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. However, this is not a security concern because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.
Figure 9.18 VPN Server Behind the Firewall on the Internet
For the Internet interface on the firewall, the following input and output filters need to be configured using the firewall's configuration software.
Packet Filters for PPTP
Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below :
Destination IP address of the VPN server's DMZ interface and TCP destination port of 1723 (0x06BB).
This filter allows PPTP tunnel maintenance traffic from the PPTP client to the PPTP server.Destination IP address of the VPN server's DMZ interface and IP Protocol ID of 47 (0x2F).
This filter allows PPTP tunneled data from the PPTP client to the PPTP server.Destination IP address of the VPN server's DMZ interface and TCP [established] source port of 1723 (0x06BB).
This filter is required only if the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. When you select TCP [established] , traffic is accepted only if the VPN server initiated the TCP connection.
Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below .
Source IP address of the VPN server's DMZ interface and TCP source port of 1723 (0x06BB).
This filter allows PPTP tunnel maintenance traffic from the VPN server to the VPN client.Source IP address of the VPN server's DMZ interface and IP Protocol ID of 47 (0x2F).
This filter allows PPTP tunneled data from the VPN server to the VPN client.Source IP address of the VPN server's DMZ interface and TCP [established] destination port of 1723 (0x06BB).
This filter is required only if the VPN server is acting as a VPN client (a calling router) in a router-to-router VPN connection. When you select TCP [established] , traffic is sent only if the VPN server initiated the TCP connection.
Packet Filters for L2TP over IPSec
Configure the following input filters with the filter action set to Drop all packets except those that meet the criteria below .
Destination IP address of the VPN server's DMZ interface and UDP destination port of 500 (0x01F4).
This filter allows IKE traffic to the VPN server.Destination IP address of the VPN server's DMZ interface and IP Protocol ID of 50 (0x32).
This filter allows IPSec ESP traffic from the VPN client to the VPN server.
Configure the following output filters with the filter action set to Drop all packets except those that meet the criteria below .
Source IP address of the VPN server's DMZ interface and UDP source port of 500 (0x01F4).
This filter allows IKE traffic from the VPN server.Source IP address of the VPN server's DMZ interface and IP Protocol ID of 50 (0x32).
This filter allows IPSec ESP traffic from the VPN server to the VPN client.
There are no filters required for L2TP traffic at the UDP port of 1701. At the firewall, all L2TP traffic including tunnel maintenance and tunneled data is encrypted as an IPSec ESP payload.