Problem solve Get help with specific problems with your technologies, process and projects.

Bypassing the firewall

Your diagram for placement of security devices ( See diagram and corresponding Q&A here.) that has the VPN bypassing the firewall leaves something to be desired.

While I've seen this configuration, most security professionals these days feel this is incorrect and that all traffic should flow through the firewall. Place VPN infront of the firewall, or pull VPN traffic directly into the separate DMZ with VPN endpoint device located there.

Why intentionally bypass the firewall? You usually cannot restrict access/protocols within the VPN tunnel, but the firewall can limit access and have a central log of all activity.

The reason for not putting the VPN in front of the firewall, is that users behind the firewall and VPN would not have any access to the Internet. Since the VPN encrypts everything that passes through it, the users behind the VPN would only have access to other sites within the virtual network. If that is what you are trying to achieve, there is nothing wrong with that configuration.

On the other hand, if you would like your users to be able to access the Internet and be able to connect back to a home office via VPN, the placement I show is one way to do that. If you still want the decrypted traffic to flow through the firewall, which is not a bad idea for exactly the reasons you point out, you could change the diagram to show the line that now goes from the VPN box to the internal network router, to instead go from the VPN box to the firewall.

My diagram suggests an intrusion detection system to be placed such that all traffic (including VPN traffic) is monitored. There is nothing wrong with using a firewall instead of, or in addition to, the IDS.

Another alternative is to have a single access point to the Internet so that all users, no matter where they are located, must connect back to the central location via the VPN and then go out to the Internet through a firewall at that location. That would be the case for the configuration you suggest. The reason for doing this is to have a single central place for control. The drawback is that remote users can have much slower Internet access, and you have a single point of failure for the entire company's access to the Internet.

As I stated in the original answer, the picture I presented is a very simplistic view of the network. There are many situations that could warrant different placement of the various components (i.e., VPN, firewall, IDS, etc.) A single picture cannot begin to show every answer. Hence, the advice to have a security professional work with your network engineers to develop the solution that best meets your users security and usability requirements.

This was last published in September 2001

Dig Deeper on Information security policies, procedures and guidelines