Interface-based VPNs
(2015-03-10)
Something which I realized a few years back and have not read anywhere before or since:
If you are messing around with interface-based VPNs (on your JunOS or ScreenOS firewall), the temptation is to put them in the untrust zone. VPNs are untrusted, right?
The downside of doing this is that most of the time you are going to end up subverting your own policy rules controlling traffic flow to the far sides of the VPNs. This is because most of the time you are not at a high security site and you have the equivalent of a (Trust->Untrust)(any/any/any->Permit) rule at the bottom of your outbound zones.
So if you are carefully using policies to permit specific traffic across the VPNs, you have to be sure to just as carefully exclude everything else across those VPNs, otherwise the bottom rule is just going to happily permit it.
This is obvious in hindsight but I've never seen it written anywhere as a sort of gotcha warning.
My solution to this problem is to create a new zone called "VPN" whenever possible and use trust->VPN policies to control the traffic flow, since there is an implicit deny for any traffic that is not explicitly permitted.