VPN Design

Let's discuss design considerations for site-to-site firewall termination points.

• A Separate VPN Firewall: You might have seen multiple scenarios for enterprise networks. Having a single firewall gives networks less flexibility and a single VPN termination point. However, most networks have at least a dual firewall layer from a security point of view. The first firewall is there to stop all unwanted data traffic and to control DMZ traffic, while the second firewall can be used to terminate a VPN connection, along with next generation firewall features such as URL filtering, and antivirus: 

• Remote Access VPN Tunnels—to split or not to split?: Whenever an organization evaluates options to set up VPN for its remote workers and partners, one of the security considerations that arise is whether or not to support a split tunnel model. Let's explore the pros and cons of this. A full tunnel translates a secure connection when all your traffic goes through the VPN. A split tunnel means that only corporate traffic goes through the tunnel. For the rest of the traffic, a local internet connection would be used.

The following diagram shows a split tunnel: Red traffic goes through a local internet gateway.

The following diagram shows a full tunnel: All traffic goes through the VPN.

As we have seen, a split tunnel might make a faster internet connection via a local internet gateway, but direct connection bypasses all corporate control and security policies, such as URL filtering and malware protection. In a full tunnel, all traffic travels through a corporate gateway, providing great security. However, an extra hop to a network might cause slow network access. A full tunnel also helps you to hide your identity on the internet.

If your business has enough bandwidth to accommodate all remote users, then the network and security administrator must use a full tunnel. An organization with a large remote workforce can consume significant amounts of bandwidth.

A common practice followed by most network administrators is to choose  pre-shared secrets for authentication, which is identical on both ends of the connection termination point. This would be done rather than setting up a Certificate Authority (CA) and issuing individual keys to each IPSec endpoint. Consequently, if one endpoint is compromised or physically stolen, the whole network becomes vulnerable. As IT staff keeps changing, the secrecy of that pre-shared key defeats the object over time. An SSL/TLS certificate based VPN works well, but that also brings device configuration overheads. However, if you still decide on using pre-shared keys then you should have a process in place for changing them after a certain amount of time, and you should use different pre-shared keys on different VPN connections. For approved and strong encryption, you must look at the Federal Information Processing Standards (FIPS), published by the National Institute of Standards and Technology.