You have to make several decisions when you design a secure VPN. One of those is where in the network, logically, you will terminate the VPN tunnels. This question is most often discussed relative to the placement of your other firewalls. For instance, should my VPN tunnel terminate before the firewall, after the firewall, or in a DMZ?
To understand the problem, consider that if you terminate your VPN inside the firewall, you must allow encrypted traffic through the firewall. Since it's encrypted, your firewall has no way to know what type of traffic is inside the tunnel; the best it can do is tell you where the tunnel originated. This would be a problem if that tunnel terminated on a user's home computer, sitting on some broadband Internet connection. That PC could be compromised, and then an attacker could send unwelcome traffic through the tunnel into your internal network.
A better option is to terminate the tunnel outside the firewall. This gives the firewall a chance to inspect all traffic, even traffic that was previously encrypted. The problem with this is that you must decrypt your traffic while it's still on an unprotected network, which means that potentially, an attacker could view the data in flight.
A third option is to terminate the VPN in a DMZ. A DMZ is a network that sits between your internal network and the Internet. Usually, a screening router or another firewall protects it. This offers the best of both worlds: it allows your firewall to inspect all traffic before it enters the internal network, and it offers some protection to the data after it is decrypted. Of course, the downside is it can cost a little more and it's a little more complex, which makes it harder to troubleshoot, but such is the cost of security.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.