I am setting up a Cisco Dynamic Multipoint VPN (DMVPN). If the routers facing the Internet are only allowed to talk to their IPsec peer using the IPsec, ISAKMP and GRE tunneling protocols, is a firewall needed between the device and the Internet? If so, what is the firewall inspecting? Is it inspecting the IPsec packets going out on the physical interface?
Cisco's Dynamic Multipoint VPN (DMVPN) product allows you to easily configure site-to-site VPNs across WAN connections. In the scenario you describe, where the routers are only serving as DMVPN endpoints and are locked down to that traffic profile, you probably don't need to bother with an additional firewall between the router and the Internet. If you placed a firewall in front of the device, it would provide you with an additional layer of filtering, but these restrictions would duplicate those already in place on the router. The only advantage of such a device would be the limitation of source addresses that may initiate a VPN connection to your router. This is something that can be configured through the router's security policy instead. I would suggest that you use a port scanner like
to verify that your router configuration properly limits external access.
You may wish to consider placing a firewall between the router and the internal network, depending upon the degree of trust you place in the remote endpoints. This configuration would allow for VPN traffic inspection after the data is decrypted by the router and before it enters your internal network. Additionally, it would provide you with granular control over the destinations and services reachable through the VPN.
Mike Chapple reveals some facts about IPsec VPNs that many security professionals may not want to hear.
Learn more about Ipseccmd, a command-line tool that manages IPsec policy and filtering rules.
Dig deeper on IPsec VPN Security
Social media compliance is not typically considered a big issue for companies, but expert Mike Chapple explains why it should be.continue reading
Metadata tagging is not just for security. Expert Mike Chapple explains how tagging tools can be used to achieve PCI DSS compliance.continue reading
Before using the HIPAA-compliant cloud services from Google, there are some things companies need to know, according to expert Mike Chapple.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.