DMVPN configuration: Should a firewall be between router and Internet?

DMVPN configuration: Should a firewall be between router and Internet?

I am setting up a Cisco Dynamic Multipoint VPN (DMVPN). If the routers facing the Internet are only allowed to talk to their IPsec peer using the IPsec, ISAKMP and GRE tunneling protocols, is a firewall needed between the device and the Internet? If so, what is the firewall inspecting? Is it inspecting the IPsec packets going out on the physical interface?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Cisco's Dynamic Multipoint VPN (DMVPN) product allows you to easily configure site-to-site VPNs across WAN connections. In the scenario you describe, where the routers are only serving as DMVPN endpoints and are locked down to that traffic profile, you probably don't need to bother with an additional firewall between the router and the Internet. If you placed a firewall in front of the device, it would provide you with an additional layer of filtering, but these restrictions would duplicate those already in place on the router. The only advantage of such a device would be the limitation of source addresses that may initiate a VPN connection to your router. This is something that can be configured through the router's security policy instead. I would suggest that you use a port scanner like Nmap to verify that your router configuration properly limits external access.

You may wish to consider placing a firewall between the router and the internal network, depending upon the degree of trust you place in the remote endpoints. This configuration would allow for VPN traffic inspection after the data is decrypted by the router and before it enters your internal network. Additionally, it would provide you with granular control over the destinations and services reachable through the VPN.

More information:

  • Mike Chapple reveals some facts about IPsec VPNs that many security professionals may not want to hear.
  • Learn more about Ipseccmd, a command-line tool that manages IPsec policy and filtering rules.

    • This was first published in March 2008