The reason for not putting the VPN in front of the firewall, is that users behind the firewall and VPN would not have any access to the Internet. Since the VPN encrypts everything that passes through it, the users behind the VPN would only have access to other sites within the virtual network. If that is what you are trying to achieve, there is nothing wrong with that configuration. On the other hand, if you would like your users to be able to access the Internet and be able to connect back to a home office via VPN, the placement I show is one way to do that. If you still want the decrypted traffic to flow through the firewall, which is not a bad idea for exactly the reasons you point out, you could change the diagram to show the line that now goes from the VPN box to the internal network router, to instead go from the VPN box to the firewall. My diagram suggests an intrusion detection system to be placed such that all traffic (including VPN traffic) is monitored. There is nothing wrong with using a firewall instead of, or in addition to, the IDS. Another alternative is to have a single access point to the Internet so that all users, no matter where they are located, must connect back to the central location via the VPN and then go out to the Internet through a firewall at that location. That would be the case for the configuration you suggest. The reason for doing this is to have a single central place for control. The drawback is that remote users can have much slower Internet access, and you have a single point of failure for the entire company's access to the Internet. As I stated in the original answer, the picture I presented is a very simplistic view of the network. There are many situations that could warrant different placement of the various components (i.e., VPN, firewall, IDS, etc.) A single picture cannot begin to show every answer. Hence, the advice to have a security professional work with your network engineers to develop the solution that best meets your users security and usability requirements.
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.