VPN termination

 

VPN termination
Tom Lancaster

You have to make several decisions when you design a secure VPN. One of those is where in the network, logically, you will terminate the VPN tunnels. This question is most often discussed relative to the placement of your other firewalls. For instance, should my VPN tunnel terminate before the firewall, after the firewall, or in a DMZ?

To understand the problem, consider that if you terminate your VPN inside the firewall, you must allow encrypted traffic through the firewall. Since it's encrypted, your firewall has no way to know what type of traffic is inside the tunnel; the best it can do is tell you where the tunnel originated. This would be a problem if that tunnel terminated on a user's home computer, sitting on some broadband Internet connection. That PC could be compromised, and then an attacker could send unwelcome traffic through the tunnel into your internal network.

A better option is to terminate the tunnel outside the firewall. This gives the firewall a chance to inspect all traffic, even traffic that was previously encrypted. The problem with this is that you must decrypt your traffic while it's still on an unprotected network, which means that potentially, an attacker could view the data in flight.

A third option is to terminate the VPN in a DMZ. A DMZ is a network that sits between your internal network and the Internet. Usually, a screening router or another

    Requires Free Membership to View

    Login

firewall protects it. This offers the best of both worlds: it allows your firewall to inspect all traffic before it enters the internal network, and it offers some protection to the data after it is decrypted. Of course, the downside is it can cost a little more and it's a little more complex, which makes it harder to troubleshoot, but such is the cost of security.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in April 2002

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top