What to know about VPN termination

Multiple choices are available for VPN termination, but which ones make sense for your network?


* remove unnecessary class from ul
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

* Replace “errorMessageInput” class with “sign-up-error-msg” class
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {

* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
return validateReturn;

* DoC pop-up window js – included in moScripts.js which is not included in responsive page
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {, “Consent”, “width=500,height=600,scrollbars=1”);

VPNs are encrypted network tunnels that secure communications channels between sites. A site can be a branch that contains hundreds of people, or it can be a home office or mobile user with a laptop or mobile device, like a phone or tablet.

A branch site will typically use a permanent IPsec VPN that’s up all the time. A mobile user will typically use a dynamic VPN based on Secure Sockets Layer or Transport Layer Security that’s up only when connectivity is required. Remote sites typically connect to one or more central sites, usually the organization’s corporate headquarters or regional offices.

Central site VPN termination

Network teams have several choices regarding where to terminate the central end of VPN tunnels.

Inside the site’s firewall. This places remote devices inside the organization’s secure perimeter. If the firewall can’t decrypt the remote site’s traffic, it can allow malware into the central site. This termination point is best suited for a remote branch that’s using IPsec and device security scanning technology to prevent a remote computer from attacking corporate resources.

Outside the site’s firewall. With this type of VPN termination, VPN traffic is decrypted outside the firewall, which enables the firewall to monitor and act upon traffic from the remote site. However, internet-destined traffic may not traverse the firewall, leaving the remote systems vulnerable to attack.

In a demilitarized zone (DMZ) network between two firewalls at a site. Terminating a VPN tunnel in a DMZ between firewalls is more secure than the above approaches because the external firewall protects the remote site systems, while the internal firewall protects the corporate systems.

On a site’s firewall. Many firewalls include VPN termination, enabling the firewall to see the unencrypted traffic, while protecting the endpoints at both the remote and central site.

Remote site VPN termination

A remote site can use a single tunnel or a split tunnel configuration for VPN termination.

Single tunnel. In this configuration, a single tunnel sends all traffic via the tunnel to the central site, even if the remote site has good internet connectivity. This means all traffic to and from the remote site can go through corporate firewalls and security monitoring systems.

Split tunnel. A split tunnel configuration sends corporate traffic via the VPN and sends internet-destined traffic directly.

VPN split tunneling
With VPN split tunneling, internet traffic goes directly to its destination, while corporate traffic travels on the VPN.

This method opens a potential security hole but is attractive for remote worker access to SaaS offerings, like Office 365 and Salesforce. Some DNS providers, such as Cisco Umbrella, enable direct access only to authorized internet services and require that all other connections, like browsing, go via the corporate site, where security services can protect the organization.

Look to the experts

VPN requirements depend on a number of factors, including the devices that are being deployed, the underlying network infrastructure and security requirements. It pays to consult with network security and VPN experts to make an informed decision on the specific technology to employ. Don’t be surprised if multiple technologies are recommended to provide defense in depth.

Source link


About the author


Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!