The "router in front for security reasons" way doesn't really hold ground anymore IMHO:
It used to be that firewalls couldn't hold the load of being the edge device; that isn't so true anymore. They also don't provide much added security either. At best they can only be relied on to do basic stateless filtering (reject bogons, etc).

Now, having a router in front can still be of much use to control your border routing (bgp...), or are just plain required (ISP controled, T1 to ethernet gateway, etc.)

As for the router behind, well, it's simply that router usually offer a better platform for doing your internal network routing (unless you have a really simple network, ie: flat or few static routes).


Concerning your VPN placement, the best would be to have it on a seperate interface/segment on your firewall. Otherwise, using private vlans on your dmz switch would be good. Otherwise, just plain in your dmz (more exposure if a dmz host is compromised, source spoofing could get them a way in...), otherwise, using the firewall as the vpn endpoint is relatively safe too...


Ammo