Cybertronic's VPN Solutions

VPNs and Firewalls

VPN Server in Front of the Firewall

With the VPN server in front of the firewall attached to the Internet, as shown in the figure below, you need to add packet filters to the Internet interface that only allow VPN traffic to and from the IP address of the VPN server's interface on the Internet.

For inbound traffic, when the tunneled data is decrypted by the VPN server it is forwarded to the firewall, which employs its filters to allow the traffic to be forwarded to intranet resources. Because the only traffic that is crossing the VPN server is traffic generated by authenticated VPN clients, firewall filtering in this scenario can be used to prevent VPN users from accessing specific intranet resources.

Because the only Internet traffic allowed on the intranet must go through the VPN server, this approach also prevents the sharing of File Transfer Protocol (FTP) or Web intranet resources with non-VPN Internet users.

intch0917

VPN Server Behind the Firewall

In a more common configuration, illustrated in next figure, the firewall is connected to the Internet and the VPN server is another intranet resource connected to a demilitarized zone (DMZ). The DMZ is an IP network segment that typically contains resources available to Internet users such as Web servers and FTP servers. The VPN server has an interface on the DMZ and an interface on the intranet.

In this approach, the firewall must be configured with input and output filters on its Internet interface to allow the passing of tunnel maintenance traffic and tunneled data to the VPN server. Additional filters can allow the passing of traffic to Web servers, FTP servers, and other types of servers on the DMZ.

Because the firewall does not have the encryption keys for each VPN connection, it can only filter on the plaintext headers of the tunneled data, meaning that all tunneled data passes through the firewall. However, this is not a security concern because the VPN connection requires an authentication process that prevents unauthorized access beyond the VPN server.

Last maintained on Friday, December 18, 2009.