Sidebar 2 : Other Considerations

Running the code on your firewall has a few disadvantages. First, all tunneling code is specific to a certain platform, and most of the time to a specific firewall product as well. So, if you want to use a tunnel, you must have the same platform and firewall software on both sides. This requirement can make a solution very expensive indeed.

Second, by adding the tunneling code to your firewall, you will make the firewall more complicated and thus more susceptible to errors. It is often because these errors open up holes in your firewall that an intruder can gain unauthorized access.

In my opinion, you should build a dedicated machine that will take care of the tunneling. For the clients on your network, this tunneling machine is just the router to their destination (the other network). For your firewall, it makes things simpler as well. You probably need fewer filtering rules since in the minimal case it will only be the tunneling machine that will connect through your firewall. You can now even block the internal network clients' direct access to the outside to prevent unwanted information leakage.

Having a separate tunneling machine provides more freedom of choice, you can now use a household firewall and use your trustworthy Linux machine as the tunneling server.