Why VPN in firewalls?
Where should the VPN Gateway go?
Outside the Firewall, In line
Outside the Firewall, on the External Network
Between the Firewall and the Internal Network
On the Internal Network
In a separate DMZ
Incorporated in the Firewall
In LAN-to-LAN or Host-to-LAN scenarios, the VPN gateway, the security gateway, may be placed in several different locations in relation to your border router and your firewall:
- Outside the firewall, in-line
- Outside the firewall, on the external network
- Between the firewall and the internal network
- On the internal network
- In a separate DMZ (Demilitarized Zone)
- Incorporated in the firewall itself
Each scenario has its distinct benefits and drawbacks. Issues that need to be considered include:
- Can the firewall protect the security gateway and log attempted attacks on it?
- Does the configuration support roaming clients?
- Can the firewall inspect and log traffic passing in and out of the VPN?
-
- Does the configuration add points of failure to the Internet connection?
- In cases where the VPN gateway is located outside the firewall, can the firewall recognize VPN protected traffic from plaintext Internet traffic, so that it knows what to pass through to the internal network?
- Does it need additional configuration of the firewall or hosts participating in the VPN?
top
Benefits
- Supports roaming clients, although it is difficult
- No special routing information is needed in the firewall
- The firewall can inspect and log plaintext from the VPN
Drawbacks
- The Security Gateway is not protected by the firewall
- The firewall cannot easily determine which traffic came through an authenticated VPN and which came from the Internet, especially in the case of roaming clients
- Internet connectivity depends on the Security Gateway
top
Benefits
Internet connectivity does not depend on Security Gateway
The firewall can inspect and log plaintext from the VPN
Drawbacks
- The Security Gateway is not protected by the firewall
- The firewall cannot easily determine which traffic came through an authenticated VPN and which came from the Internet, unless the border router can be trusted to do extensive filtering
- Special routing information is needed in the firewall
- Support for roaming clients is nearly impossible
top
Benefits
Supports roaming clients
No special routing information needed in the firewall
The firewall can protect the Security Gateway
Drawbacks
- The firewall cannot inspect nor log plaintext from the VPN
- Internet connectivity depends on the Security Gateway
This configuration provides fairly good functionality. However, the fact that the firewall cannot inspect the plain text traffic may prove to be a big problem. VPN traffic should not normally be considered to be an integrated part of the internal network.
top
Benefits
- The firewall can protect the Security Gateway
- Internet connectivity does not depend on the Security Gateway
Drawbacks
- The firewall cannot inspect nor log plaintext from the VPN
- Special routes need to be added to the firewall, or to all internal clients participating in the VPN
- Support for roaming clients is very hard to achieve
top
Benefits
- The firewall can protect the Security Gateway
- Internet connectivity does not depend on the Security Gateway
- The firewall can inspect and log plaintext from the VPN
Drawbacks
- Special routes need to be added to the firewall
- Support for roaming clients is very hard to achieve
This configuration provides good functionality and security for LAN-to-LAN scenarios. The firewall can protect the security gateway, and it can inspect and log plaintext from the VPN.
The only real drawback is that support for roaming clients is very hard to achieve, since the firewall won't know to route through the Security Gateway in order to reach the VPN clients with moving IPs.
top
Benefits
- The firewall can protect the Security Gateway subsystem
- The firewall can inspect and log plaintext from the VPN
- Supports roaming clients
- No special routes need to be added to hosts participating in the VPN
- Can seamlessly integrate VPN and firewall policies
Drawbacks
- The integrated Security Gateway may make the firewall less stable. However, it does not add another piece of hardware to the chain of points that may fail.
This solution provides the highest degree of functionality and security. All normal modes of operation are supported, and all traffic may be inspected and logged by the firewall.
The Clavister Firewall IPsec VPN module is integrated in the firewall itself, providing the above functionality.
top
