Home > Ask the Security Experts > Network Security Questions & Answers > DMVPN configuration: Is an additional firewall needed between the router and the Internet?
Ask The Security Expert: Questions & Answers
EMAIL THIS

DMVPN configuration: Is an additional firewall needed between the router and the Internet?

Mike Chapple EXPERT RESPONSE FROM: Mike Chapple

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 03 February 2008
I am setting up a Cisco Dynamic Multipoint VPN (DMVPN). If the routers facing the Internet are only allowed to talk to their IPsec peer using the IPsec, ISAKMP and GRE tunneling protocols, is a firewall needed between the device and the Internet? If so, what is the firewall inspecting? Is it inspecting the IPsec packets going out on the physical interface?

>
EXPERT RESPONSE
Cisco's Dynamic Multipoint VPN (DMVPN) product allows you to easily configure site-to-site VPNs across WAN connections. In the scenario you describe, where the routers are only serving as DMVPN endpoints and are locked down to that traffic profile, you probably don't need to bother with an additional firewall between the router and the Internet. If you placed a firewall in front of the device, it would provide you with an additional layer of filtering, but these restrictions would duplicate those already in place on the router. The only advantage of such a device would be the limitation of source addresses that may initiate a VPN connection to your router. This is something that can be configured through the router's security policy instead. I would suggest that you use a port scanner like Nmap to verify that your router configuration properly limits external access.

You may wish to consider placing a firewall between the router and the internal network, depending upon the degree of trust you place in the remote endpoints. This configuration would allow for VPN traffic inspection after the data is decrypted by the router and before it enters your internal network. Additionally, it would provide you with granular control over the destinations and services reachable through the VPN.

More information:

  • Mike Chapple reveals some facts about IPsec VPNs that many security professionals may not want to hear.
  • Learn more about Ipseccmd, a command-line tool that manages IPsec policy and filtering rules.


    • Sound Off! -   Be the first to post a message to Sound Off!


    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Network Security
    Will Cisco's plan to open access to the IOS improve network security?
    Will VoIP attacks result in more than just spam?
    Should enterprises implement a mandatory iPhone VPN?
    Will organizations that lag behind on IPv6 adoption have greater security risks?
    Should iPhone email be sent without SSL encryption?
    How to secure an FTP connection
    Is centralized logging worth all the effort?
    Should an ISP keep corrupted machines off of a network?
    What are the pros and cons of shaping P2P packets?
    Can a firewall alone effectively block port-scanning activity?

    IPSec
    What ports should be opened and closed when IPsec filters are implemented?
    How should the ipseccmd.exe tool be used in Windows Vista?
    Can Trojans and other malware exploit split-tunnel VPNs to infiltrate a network?
    IPsec tunneling: Exploring the security risks
    Should an IT staff be concerned with a network's physical security?
    How expensive are IPsec VPN setup costs?
    Do split-tunneling features make a VPN vulnerable?
    Will securing a wireless LAN make the data link layer vulnerable?
    When Microsoft Vista and VPNs don't mix
    What are the benefits of a tunnelless VPN?
    IPSec Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Internet Key Exchange  (SearchSecurity.com)
    IPsec  (SearchSecurity.com)
    network encryption  (SearchSecurity.com)
    virtual private network  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts