• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 269
  • Last Modified:

Firewall and VPN concentrator selection and design

Hi Folks,  

I'm looking for some insight into best practices for firewall and VPN concentrator design.  Should the concentrator be placed inside or outside the external firewall?

Does anyone have views on "best" firewalls to support ~500 user network, with hot failover, ease of configuration/maintenance, performance, reliability etc.  IDS/IPS/VPN support not required....

Thanks in advance.
1 Solution
Check out watchguard with the X peak series, they offer a firewall / vpn appliance with hot failover, which is easy to configure and has a visual interface.


Ideally each Interface should be in it's own DMZ.  i.e. External interface with a NAT'd External address and Internal interface (you can use it's real address for Internal communication).

Depending on what VPN applicance you are using there is a considerable argument to say that the External interface does not have to be behind the Firewall, just the Internal Interface, so long as the External device is locked down to ony accept traffic on the appropriate ports.  Of course, there is also about the same weight of argument for putting this Interface behind the Firewall, it's all down to your preference.
I use Cisco ASA's that act as the external firewall and the VPN. 5510's and higher have active failover.
davystocksAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now