Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL VPN Two Leg Deployment Design

SOLVED
Go to solution
aeroplane_
Regular Contributor
‎01-23-2014 12:34:AM
‎01-23-2014 12:34:AM

SSL VPN Two Leg Deployment Design

Hello Experts

 

There is any security concern when connecting the external port of SSL VPN in public DMZ behind the perimeter firewall and internal port directly to the core firewall/core switch? My concern is. in this way, we are connecting pubic DMZ segment and inside network back to back physically through SSL VPN device.  

 

Thanks You

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
em_platinum_
Contributor
‎01-23-2014 08:27:AM
‎01-23-2014 08:27:AM

Re: SSL VPN Two Leg Deployment Design

This is a common question that applies to more than just Juniper's SSL VPN product, and it's really about risk exposure tolerances.

 

Connecting the internal port right into the LAN is the easiest way to deploy, but should the device software get exploited, a hacker could potentially gain unrestriced access to all LAN resoruces, assuming you have no internal access controls on the LAN segment the device is connecteed too.

 

A generally best practice for security would be to not have a device accepting internet facing connects to be directly connected to the LAN, but this is a more complex setup.  There are many ways to accomplish this with both 1 and 2 arm configurations.

 

In general, a secure and fairly easy configuration would be 1 arm in DMZ, which would use only the internal port,

 

Check out this KB for all the options: http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10162

 

It talks about SA-6000 but it's relevant to any SA/MAG device with an internal//external interface.  It's also relevant to just about any device (or virtual appliance) where you have at least 2 interfaces available.

 

 

 

 

View solution in original post

0 Kudos
2 REPLIES 2
aeroplane_
Regular Contributor
‎06-30-2009 12:03:PM
‎06-30-2009 12:03:PM

Re: SSL VPN Two Leg Deployment Design

Thank you

0 Kudos
em_platinum_
Contributor
‎01-23-2014 08:27:AM
‎01-23-2014 08:27:AM

Re: SSL VPN Two Leg Deployment Design

This is a common question that applies to more than just Juniper's SSL VPN product, and it's really about risk exposure tolerances.

 

Connecting the internal port right into the LAN is the easiest way to deploy, but should the device software get exploited, a hacker could potentially gain unrestriced access to all LAN resoruces, assuming you have no internal access controls on the LAN segment the device is connecteed too.

 

A generally best practice for security would be to not have a device accepting internet facing connects to be directly connected to the LAN, but this is a more complex setup.  There are many ways to accomplish this with both 1 and 2 arm configurations.

 

In general, a secure and fairly easy configuration would be 1 arm in DMZ, which would use only the internal port,

 

Check out this KB for all the options: http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10162

 

It talks about SA-6000 but it's relevant to any SA/MAG device with an internal//external interface.  It's also relevant to just about any device (or virtual appliance) where you have at least 2 interfaces available.

 

 

 

 

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.