Home > Ask the Security Experts > Network Security Questions & Answers > DMVPN configuration: Is an additional firewall needed between the router and the Internet?
Ask The Security Expert: Questions & Answers
EMAIL THIS

DMVPN configuration: Is an additional firewall needed between the router and the Internet?

Mike Chapple EXPERT RESPONSE FROM: Mike Chapple

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 03 February 2008
I am setting up a Cisco Dynamic Multipoint VPN (DMVPN). If the routers facing the Internet are only allowed to talk to their IPsec peer using the IPsec, ISAKMP and GRE tunneling protocols, is a firewall needed between the device and the Internet? If so, what is the firewall inspecting? Is it inspecting the IPsec packets going out on the physical interface?

>
EXPERT RESPONSE
Cisco's Dynamic Multipoint VPN (DMVPN) product allows you to easily configure site-to-site VPNs across WAN connections. In the scenario you describe, where the routers are only serving as DMVPN endpoints and are locked down to that traffic profile, you probably don't need to bother with an additional firewall between the router and the Internet. If you placed a firewall in front of the device, it would provide you with an additional layer of filtering, but these restrictions would duplicate those already in place on the router. The only advantage of such a device would be the limitation of source addresses that may initiate a VPN connection to your router. This is something that can be configured through the router's security policy instead. I would suggest that you use a port scanner like Nmap to verify that your router configuration properly limits external access.

You may wish to consider placing a firewall between the router and the internal network, depending upon the degree of trust you place in the remote endpoints. This configuration would allow for VPN traffic inspection after the data is decrypted by the router and before it enters your internal network. Additionally, it would provide you with granular control over the destinations and services reachable through the VPN.

More information:

  • Mike Chapple reveals some facts about IPsec VPNs that many security professionals may not want to hear.
  • Learn more about Ipseccmd, a command-line tool that manages IPsec policy and filtering rules.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Network Security
    What are the differences between intrusion detection and intrusion prevention?
    Will there be DMZ routing issues if several firewalls serve as the default gateway?
    Should tunnel connections be initiated from an ISP to a internal data center, or vice versa?
    What are the top LAN security issues in a client-server network environment?
    What warning signs will indicate the presence of a P2P botnet?
    What reporting tools are available for an enterprise IDS?
    Is it possible to allow select access to IP addresses using Windows Server 2003?
    Is an IPsec VPN necessary when connecting remote servers that process financial transactions?
    What are best practices for creating an IDS and maintaining a signature database?
    What are the best ways to hide system information from network scanning software?

    IPSec
    VoIP tools, attacks could increase threat
    Is an IPsec VPN necessary when connecting remote servers that process financial transactions?
    What ports should be opened and closed when IPsec filters are implemented?
    How should the ipseccmd.exe tool be used in Windows Vista?
    Can Trojans and other malware exploit split-tunnel VPNs to infiltrate a network?
    IPsec tunneling: Exploring the security risks
    Should an IT staff be concerned with a network's physical security?
    How expensive are IPsec VPN setup costs?
    Do split-tunneling features make a VPN vulnerable?
    Will securing a wireless LAN make the data link layer vulnerable?
    IPSec Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Internet Key Exchange  (SearchSecurity.com)
    IPsec  (SearchSecurity.com)
    network encryption  (SearchSecurity.com)
    virtual private network  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts