I am setting up a Cisco Dynamic Multipoint VPN (DMVPN). If the routers facing the Internet are only allowed to talk to their IPsec peer using the IPsec, ISAKMP and GRE tunneling protocols, is a firewall needed between the device and the Internet? If so, what is the firewall inspecting? Is it inspecting the IPsec packets going out on the physical interface?
Cisco's Dynamic Multipoint VPN (DMVPN) product allows you to easily configure site-to-site VPNs across WAN connections. In the scenario you describe, where the routers are only serving as DMVPN endpoints and are locked down to that traffic profile, you probably don't need to bother with an additional firewall between the router and the Internet. If you placed a firewall in front of the device, it would provide you with an additional layer of filtering, but these restrictions would duplicate those already in place on the router. The only advantage of such a device would be the limitation of source addresses that may initiate a VPN connection to your router. This is something that can be configured through the router's security policy instead. I would suggest that you use a port scanner like
to verify that your router configuration properly limits external access.
You may wish to consider placing a firewall between the router and the internal network, depending upon the degree of trust you place in the remote endpoints. This configuration would allow for VPN traffic inspection after the data is decrypted by the router and before it enters your internal network. Additionally, it would provide you with granular control over the destinations and services reachable through the VPN.
Mike Chapple reveals some facts about IPsec VPNs that many security professionals may not want to hear.
Learn more about Ipseccmd, a command-line tool that manages IPsec policy and filtering rules.
Dig deeper on IPsec VPN Security
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.