Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is Firewall needed with IP VPN

for a network that is connected to the internet via IP VPN service, is firewall still needed ??


Re: Is Firewall needed with IP VPN

When you say IP VPN service, is it a managed internet service (VPN) where multiple offices connect via VPN ?

Adding a firewall is always a good idea, because even with IP VPN service, you are still attached to a service providers core and it also doesnt mean attacks could come from any where within the service provider's cloud. Plus, you can also enforce outbound firewall rules, so that you can restrict what each user can access. YOu could additionally use a firewall like PIX and Websense for URL filtering. This will also help log, what URLs are accessed by each user. If you have public-accessible servers (Web, mail etc), even those servers can be put in a DMZ isolated interface of the firewall and you wont have to worry about security breaches into your DMZ, affecting your internal network.

Hall of Fame Super Silver

Re: Is Firewall needed with IP VPN


I very much agree with the points made by Sankar. An IPSec VPN only provides protection for the traffic that is being transmitted through the VPN. It provides no protection about any other traffic that might be received. I have deployed many VPN routers where we provide protection against other traffic. I am surprised some times at the amount of other traffic, which includes probes of the network and things that are likely attack attempts, which we detect and discard at the edge of the remote network.

Depending on how the VPN is terminated (on an Internet facing router, or a concentrator or other device behind the edge of the remote network) the firewall might be positioned between the VPN termination and the remote network in which case it will see the all of the traffic and be able to evaluate it. Or the firewall might be between the VPN termination and the remote network edge in which case it will see the IPSec traffic but not be able to evaluate it while it can evaluate all other traffic.