1

Our company has two separate firewall devices from different vendors (Checkpoint / Cisco) for firewall and VPN access.

We're currently evaluating the possibility of migrating to a newer, clustered solution (2 new devices) from a single vendor where both VPN and firewall services will be hosted.

Any thoughts/ideas on what the pros and cons of this solution would be?

I've read a few articles stating that it's a good idea to keep them separated due to potential performance penalty, but I really don't think that this is going to be an issue (based on the sizing we've already made).

Improve this question
1
  • I'm not sure where the security implications are, since you appear to be asking about performance. If those details aren't added, I suggest this be moved.
    – multithr3at3d
    Commented May 9, 2019 at 19:11

1 Answer 1

Reset to default
1

Not really an useful idea to keep them separate. Splitting FW and VPN rarely actually helps. The only possible scenario when this would be good for something would be a successful DoS attack that would affect your VPN. But if a DoS happens vs the firewall, the fact that the VPN device is working would not be of much help.

Now on the other way, if you have for example 2 ASAs in redundant mode, they support VPN so you have everything from 1 vendor + redundancy.

It is very easy to properly control access from the same device: practically, in your firewall you will also be able to configure what the VPN IPs can actually access. This can be a great advantage as it simplifies management and offers better security compared to having separate devices.

Improve this answer

Not the answer you're looking for? Browse other questions tagged .