Your diagram for placement of security devices (See diagram and corresponding Q&A here.
) that has the VPN bypassing the firewall leaves something to be desired.
While I've seen this configuration, most security professionals these days
feel this is incorrect and that all traffic should flow through the
firewall. Place VPN infront of the firewall, or pull VPN traffic directly into
the separate DMZ with VPN endpoint device located there.
Why intentionally bypass the firewall? You usually cannot restrict
access/protocols within the VPN tunnel, but the firewall can limit access and
have a central log of all activity.
The reason for not putting the VPN in front of the firewall, is that users
behind the firewall and VPN would not have any access to the Internet.
Since the VPN encrypts everything that passes through it, the users
behind the VPN would only have access to other sites within the virtual
network. If that is what you are trying to achieve, there is nothing wrong
with that configuration.
On the other hand, if you would like your users to be able to access the
Internet and be able to connect back to a home office via VPN, the
I show is one way to do that. If you still want the decrypted traffic to
the firewall, which is not a bad idea for exactly the reasons you point out,
could change the diagram to show the line that now goes from the VPN box
to the internal network router, to instead go from the VPN box to the
My diagram suggests an intrusion detection system to be placed such that
all traffic (including VPN traffic) is monitored. There is nothing wrong
using a firewall instead of, or in addition to, the IDS.
Another alternative is to have a single access
point to the Internet so that all users, no matter where they are located, must
back to the central location via the VPN and then go out to the Internet
a firewall at that location. That would be the case for the configuration
The reason for doing this is to have a single central place for control. The
is that remote users can have much slower Internet access, and you have a
single point of failure for the entire company's access to the Internet.
As I stated in the original answer, the picture I presented is a very
view of the network. There are many situations that could warrant different
placement of the various components (i.e., VPN, firewall, IDS, etc.) A
picture cannot begin to show every answer. Hence, the advice to have a
security professional work with your network engineers to develop the
solution that best meets your users security and usability requirements.
This was first published in September 2001