When IPsec VPNs first emerged, most were purpose-built products, deployed either behind a firewall or on a firewall DMZ. But those architectures were short-lived. Today, nearly every firewall provides integrated VPN features.
 |
| About the author |
| Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security and network management products for nearly 20 years. |
|
|
|
|
It makes a lot of sense to terminate site-to-site VPN tunnels on a firewall. Doing so can easily protect traffic sent between branch offices and a central site, without adding extra hops, reassigning addresses, or breaking IPsec by sending it through Network Address Translators. Firewalls can apply security policies to site-to-site traffic -- for example, stopping worms from propagating across tunnels or remapping private subnets. And with an integrated firewall/VPN, customers have just one platform to provision, monitor, troubleshoot and maintain.
Most firewalls can also terminate remote client IPsec tunnels, but firewalls do not excel at meeting remote access needs. It's an uphill battle to pitch an integrated VPN/firewall as a remote access solution when there are many standalone VPN concentrators that offer more attractive features. Selling an integrated VPN for remote access complicates firewall sizing, pricing and interoperability. Getting those right depends on the customer's remote workforce needs, devices and usage habits, all of which tend to change over time and are harder to get a handle on than interoffice traffic.
Return to the virtual private networks FAQ guide and read the rest of Lisa's expert responses.
