Isolated network in LAN accessible via separate VPN
Due to concerns surrounding client security, I am being asked to provide feedback on how best to implement the following:
• A new “private” network is to be created on which to host servers with client data and virtual machines that select staff would use to work on this data.
• The new network should only be accessible from the LAN on the primary domain and only after logging into a VPN to access it.
• The new network would be accessed by select staff but should require different credentials than that of the primary company domain.
• We already use a VPN application when staff work from home but management doesn’t want the new “private” network accessible directly from the existing VPN application. They want staff to be required to access the regular VPN to access their office PCs first and only then access a separate VPN with different credentials for the private network to access the client data from their virtual machines.
• On the private network we would still need to:
o regularly patch the endpoints
o transfer programming code from the primary domain when necessary to run on a SQL server that contains client data
o perform regular backups
I know I can create a new forest in our existing domain and a new domain controller to create a new security boundary. I understand in this scenario this is no trust by default between the new forest and the forest that contains the primary company domain. However, I am unclear on how to implement the rest of the request and\or if this is the best option.
How would I:
• configure a separate VPN connection using Cisco AnyConnect or similar VPN client to be used to access the new network? Can this be configured in the existing firewall for the separate VPN access or would this require a separate firewall?
• I understand that zones can be used within the firewall and access rules can be used to block or allow access between zones but management is concerned if this path is followed and their PC on the primary domain is compromised and they then access the private network in the new forest that the virtual machine in that forest would also be compromised. This is why management wants staff to have to access a separate VPN with different domain credentials to access the private network.
Does anyone have recommendations for best practices on making this work?
**5/18/21- I updated the question as it really pertains to creating a private network on the LAN.