Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1172
Views
5
Helpful
3
Replies

Is site-to-site VPN with router secure enough?

Go to solution
wysun_53
Level 1
Level 1

‎11-01-2012 02:56 AM

Hi,

I have a question regarding site-to-site VPN with router.

Internet <> Router <> LAN

If I have a site-to-site VPN configured on the router above with another site. I have access-list configured to block all incoming Internet connections except from VPN. What are the risk of the LAN getting exposed to Internet threats? Would you recommend putting in a firewall between the router and LAN, or replace the router with a firewall?

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎11-04-2012 07:53 PM

Hi Amanda,

Assuming that your L2L looks like this:

LAN ---- Router --------------- INTERNET ------------- Router_Remote ----- LAN

            |-------------------------------------------------------------------------------|

                                             L2L

The traffic between the two LANs is protected by the VPN tunnel. It is recommended to use the security best practices (strongest encryption settings) to make sure the encrypted traffic wouldn't be compromised across the Internet.

On the other hand, if you are talking about traffic going out in the clear to the Internet, like when a user acceses google.com, then just make sure the traffic go out, but never allow any inbound connections.

If you want to protect your network with advance security features, like a FW, you may consider ZBF, which is the Firewall feature set available in IOS:

Zone-Based Policy Firewall Design and Application Guide

If you still consider this is not enough, then check the ASA5500 series.

HTH.

Portu.

Please rate any helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Javier Portuguez
Level 9
Level 9

‎11-04-2012 07:53 PM

Hi Amanda,

Assuming that your L2L looks like this:

LAN ---- Router --------------- INTERNET ------------- Router_Remote ----- LAN

            |-------------------------------------------------------------------------------|

                                             L2L

The traffic between the two LANs is protected by the VPN tunnel. It is recommended to use the security best practices (strongest encryption settings) to make sure the encrypted traffic wouldn't be compromised across the Internet.

On the other hand, if you are talking about traffic going out in the clear to the Internet, like when a user acceses google.com, then just make sure the traffic go out, but never allow any inbound connections.

If you want to protect your network with advance security features, like a FW, you may consider ZBF, which is the Firewall feature set available in IOS:

Zone-Based Policy Firewall Design and Application Guide

If you still consider this is not enough, then check the ASA5500 series.

HTH.

Portu.

Please rate any helpful posts

0 Helpful

Go to solution
wysun_53
Level 1
Level 1
In response to Javier Portuguez

‎11-27-2012 02:03 AM

Hi Portu,

Thank you very much for your detailed explanation.

Best regards,

Amanda

Go to solution
Javier Portuguez
Level 9
Level 9
In response to wysun_53

‎11-27-2012 05:09 AM

Glad to help

Have a nice day!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents