Pro/Con IPSEC tunnels through Firewalls

Professor_Pickles · ‎11-13-2017

I've found myself in an interesting spot where I preparing to debate with my info security team the merits of continuing to push IPSEC and SSL VPN connections through a stateful firewall. Now my feedback on this design is why? What benefit do you gain by having your IPSEC/SSL traffic inspected by a stateful firewall? Vs. having your VPN device face the public Internet? In my view, passing this traffic through a stateful FW just creates additional and unnecessary overhead (From inspection and NAT processing) which adds delay (Latency). Aside for this, why would you inspect encrypted traffic? Does not compute!

Anyhow to prepare for this debate I was just search the web and looking for some article, blog, design guide, or any feedback on this topic and did not find any source material on this subject.

So, in a nutshell, I'm looking for your insights on this subject, should I support this practice or should I stick with what I know works? My gut tells me to swim away from such a design and just place your IPSEC and SSL SSL terminating devices, like an ASA/ISR/ASR device on the edge.

As always, your feedback is appreciated.

Karsten Iwen · ‎11-13-2017

One benefit is that you have an additional control what traffic reaches your VPN-gateway. If your VPN-device has a vulnerability on an default open port, the filerwall that only lets through the needed VPN-traffic will be an effective countermeasure. But at least for IPSec, a stateless ACL will be enough, a statefull firewall is not really needed.

Personally, I often accept to have my VPN-gateway directly connected to the internet. But it‘s always important to have some device-hardening in place.