Hello,
So, I’m getting kind of obsessed with networking and I wanted to experiment with something but I’m not quite sure of what I’m doing.
So, basically the question is:
If you are the network engineer of a company and you have, for example, the engineering department. But this department has on every computer of them to have to set up a VPN connection to a server in Tokyo, which is the only IP whitelisted to access a server about papers on the new project, for example.
So, every computer has a VPN connected. However, you could do this in a better way by having a VPN client on the router and then routing the traffic from a specific VLAN (That VLAN, for example) through a specific interface, which is the one for the VPN connection, and the issue with one of the employees trying to connect and not being successful because of the VPN is not there anymore.
Is this a good approach? Is there any better way to approach this? More secure/stable?
In this scenario I think a site to site vpn would work best
So I agree with the P2P VPN of the firewall. this also gives you the option of an extra layer of transport encryption besides TLS - assuming a web server. One downside is the operators who need access are forced to connect from the corporate LAN unless some other arrangements are made. You also have to be careful how you architect the server side LAN, since this P2P VPN is only as secure as the network security in both ends.
An alternative is to use a P2P to connect this distant server to a proxy in your corporate on-premise data center and have your operators connect to this local proxy. More to set up, but if done correctly, can reduce the threat surface from your corporate PCs.
Important points are that VPN is a very generic term and only as secure as you design it. Also, there are many ways to build it, so the devil is in the details
VLANs are usually used to reduce subnet size and segment different parts of your controlled network space based on network topology or geography or organizational breakdown or types of devices. To use VLANs you have to control the network equipment throughout the infrastructure.
Have you firewall do the VPN session and your routing table would then point to the firewall with a /32 route (that one server) and you clients would follow the routing and traverse the VPN tunnel and hit the server.
If you see this, it’s because you believe in Jesus Christ, Lucifer or none of them.
IPsec is absolutely not outdated. It’s pretty much a cornerstone of enterprise level VPN configurations.
A site to site VPN connection is a connection between two network-level devices, usually firewalls in the business world (but could be routers on a personal level). They’re used, like in the scenario you provided, where secure communication needs to happen between a businesses sites in different locations.
OpenVPN is a more small business/power user solution for connecting user devices to a VPN back to the office. No enterprise firewalls I know of support connecting to an OpenVPN server or running an OpenVPN server.
sources: network admin responsible for Palo Alto firewall.
I would personally this scenario up with a site to site connection, then a static route to route all traffic going from the local office to the remote server through said site to site. Then a security rule that only allows traffic from users identified as members of the Engineering department.
Absolutely. And if you’re looking for “enhanced security” you can always configure a more complex encryption profile for the connection.