This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VGVA Most Secure Configuration?

VGVA Most Secure Configuration?

RJ45
New Contributor II

‎04-06-2021 04:27 PM

I am setting up a VGVA to terminate VPN connections from AP150W’s at several satellite offices and for WFH staff. We normally put things like this that expose an interface to the internet in a DMZ so that is where I started with the VGVA, but it looks like the second interface on the VGVA is meant to be connected directly to an internal network segment in order to bridge L2 traffic from devices connected to the AP150. I feel like this is the not a great idea since if the VGVA if compromised will give attackers an interface directly to the internal network.

 

I am wondering what is the recommended way to go about this? Was thinking the first thing to try is connecting the VGVA’s second interface port on the firewall, and put in rules to let the clients reach the internal network from there… and probably a DHCP relay..

 

Anyhow I am interested to hear how you all have been setting this thing up and keeping it as secure as possible.

 

Thanks

C

 

 

 

 

 

1 REPLY 1

LaurentA
New Contributor II

‎07-11-2023 12:35 AM

Hi,

As the VGVA terminates L2VPN trafic, it explains why the secondary interface has to be directly in the VLAN that you want your user profiles to be in. From a security point of view, you're right, the VGVA have an Interface facing the Internet, and another one directly into the internals networks (with multiple VLAN depending on how many user profiles you are exposing), which makes the VGVA a "hot spot". Hopefully, the attack surface is limited as only ports UDP/4500 and UDP/500 needs to be open from the Internet.
Finally, if you want to "firewall" trafic between the VGVA and your internal networks, there are some firewalls out there that supports filtering in "bridge mode" (proxy ARP instead of L3 routing). I works with "Stormshield" Firewalls and they can handle this (you need to create a "Bridge" for each VLAN you want to firewall).


In my opinion, the security concerns is not the VGVA but the other "end" (AP150W or others), especially take a close look at :

- Bridge Ethernet port (anybody connected to these port are in your LAN, depending on the user profile you set)
- Wireless Security (the security level should be at least the same as in the HQ building, EAP-TLS for instance), so that an attacker is facing the same level protection wherever he looks for an entry point.

Regards,

Laurent.

0 Kudos
GTM-P2G8KFN