Which one is a better design?

Unanswered Question
Dec 28th, 2007
User Badges:
  • Silver, 250 points or more

Objective: Provide site-2-site VPN, remote access VPN and protect servers farm.

Which is a better design? I feel much

more comfortable having the VPN concentrator being protected by the firewall; however, at the same time,

both encrypted and decrypted traffics will have to traverse the firewall twice,

thus it may impact the firewall performance.

I prefer design_2 but I would like to get

comments from security gurus in this forum. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Both designs are good since you are enforcing security for the VPN3K before it hits the internal network. I have seen too many implementations where the VPN3K private interface sits directly on the internal network without passing through a firewall interface. Design 2 is the best since the firewall enforces security on both the public and private interfaces. If you're worried about performance upgrade to a more robust model on the Checkpoint.

My 2 cents :)

Jon Marshall Sun, 12/30/2007 - 10:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I would go with design 1.

If you would like to protect the outside interface of the VPN3K then you could add some acl lines to only allow IPSEC/PPTP/L2TP (you pick) to the outside interface of your VPN3K.

One plus point to having the VPN3K alongside the firewall rather than behind it is that you do not have to worry about NAT issues which can present problems with IPSEC.

Key thing as pointed out already is that your private interface is filtered by the firewall before the traffic enters your internal LAN.



This Discussion