I've found myself in an interesting spot where I preparing to debate with my info security team the merits of continuing to push IPSEC and SSL VPN connections through a stateful firewall. Now my feedback on this design is why? What benefit do you gain by having your IPSEC/SSL traffic inspected by a stateful firewall? Vs. having your VPN device face the public Internet? In my view, passing this traffic through a stateful FW just creates additional and unnecessary overhead (From inspection and NAT processing) which adds delay (Latency). Aside for this, why would you inspect encrypted traffic? Does not compute!
Anyhow to prepare for this debate I was just search the web and looking for some article, blog, design guide, or any feedback on this topic and did not find any source material on this subject.
So, in a nutshell, I'm looking for your insights on this subject, should I support this practice or should I stick with what I know works? My gut tells me to swim away from such a design and just place your IPSEC and SSL SSL terminating devices, like an ASA/ISR/ASR device on the edge.
As always, your feedback is appreciated.