We help IT Professionals succeed at work.

VPN

kajumblies
kajumblies used Ask the Experts™
on
Udner what circumstances woudl a firewall need to be installed at the endpoint of a VPN conneciton
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
In all cases unless you've added security to a "private" link.
Usually it's the same device.

Or, maybe I don't understand what you're doing.

Usually, standalone VPN devices are also blocking devices which act as a good firewall.  They don't have to support ANY traffic other than through the tunnels.

If the VPN device isn't standalone then it's likely the internet gateway device for the LAN as well.  So, generally it's a good firewall with all sorts of traffic-handling features.

Examples:
1) SSG-5s at each end connected to the internet.  They can also be the VPN devices.  End of story.

2) SSG-5s as the internet gateways.  RV042s as the standalone VPN devices (with their own public IP addresses).  In this case the SSG-5 is the normal internet interface firewall and the RV042 is the VPN device / blocking firewall for everything else.

What I can't imagine doing is this .. using the above boxes in the example:
Set up the RV042s for the VPN followed by the SSG-5s as a "firewall" behind them.
Then you'd have to figure out how the internet gateway would be implemented, would possibly have double NAT, etc. etc.  I can't design such a thing in my head very readily.

Author

Commented:
I know that normally it is the same device but is there ever a time that putting a seperate firewall is on the endpoint of the VPN endpoint needed?

Author

Commented:
Figured it out thanks for the quick reply.