There is any security concern when connecting the external port of SSL VPN in public DMZ behind the perimeter firewall and internal port directly to the core firewall/core switch? My concern is. in this way, we are connecting pubic DMZ segment and inside network back to back physically through SSL VPN device.
Solved! Go to Solution.
This is a common question that applies to more than just Juniper's SSL VPN product, and it's really about risk exposure tolerances.
Connecting the internal port right into the LAN is the easiest way to deploy, but should the device software get exploited, a hacker could potentially gain unrestriced access to all LAN resoruces, assuming you have no internal access controls on the LAN segment the device is connecteed too.
A generally best practice for security would be to not have a device accepting internet facing connects to be directly connected to the LAN, but this is a more complex setup. There are many ways to accomplish this with both 1 and 2 arm configurations.
In general, a secure and fairly easy configuration would be 1 arm in DMZ, which would use only the internal port,
Check out this KB for all the options: http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10162
It talks about SA-6000 but it's relevant to any SA/MAG device with an internal//external interface. It's also relevant to just about any device (or virtual appliance) where you have at least 2 interfaces available.