1.3.5. VPN Gateway
The VPN Gateway allows establishing the VPN from a remote location to a corporate network. It also allows applying segmentation access policies, depending on the user profile. The management of the VPN Gateway requires an additional machine called the CMI console, which allows the centralized management of all the VPN Gateway nodes.
It is a mandatory component for the Secure Remote Access (2SRA) module, which includes critical components such as:
Policy Enforce: Stateful Firewall module that allows the definition and execution of access rules, based on IP, port source and destination.
VPN Roadwarrior: It allows the configuration of the VPN Gateway, authentication, encryption, pool of IP addresses, internal networks, dynamic zones, etc.
Traffic Log Monitor: Using Filebeat (ELK) the accepted or denied Firewall traffic logs are sent to the CMI management console for its visualization.
Note
VPN Gateway is a critical node in the solution, and high-availability deployment is recommended. The deployment of one or more nodes to provide this high availability will depend on the deployment requirements, and the final architecture design. If this module is offline, we would lose the ability to establish connections in the VPN.
1.3.5.1. Sizing a VPN Terminator Instance
The dimension of Network Access solution infrastructure can be directly inferred from the expected workload in terms of users, IPs, types of authentication or use cases deployed that the NAC must sustain. The workload may be complicated to estimate, but this is a crucial exercise to build an efficient NAC Architecture.
The hardware specifications for the VPN Gateway are:
Resources |
Minimun |
|---|---|
Memory |
8 GB |
CPU |
4 CPUs |
Disk Size |
100 GB |
Disk Type |
SSD |
Network |
2 NIC** |
Note
** The 2 network interfaces are mainly for service and management (internal communication between the different nodes).