I'm not as well versed in the world of IPSec VPN's as I would like.. and getting into a philosophical debate about the traffic and security considerations of setting up a VPN connection. We have a vendor trying to sell us a product where we install a Cisco VPN client on a server that is used to establish a VPN connection (on demand) to their data center and then setup an FTP session over than VPN connection to download files from their data center to our server for further processing. That's all well and good and I understand that. Where I get a little hazy is that once the VPN connection is established, isn't the traffic over that VPN connection, by definition, allowed to flow both ways (meaning, if someone on their end wanted to establish a connection to our server here hosting the VPN connection)? To me, that's a security concern because it would require me putting that VPN client into a DMZ type solution in order to insure if they had some malcontent internal employee who tried to hack (or worse, managed to break into the VPN box on our end) when the connection was active, they would then be able to use that box on our network to penetrate further into our network. They keep telling me that the connection is one way only, but I think they are confusing the application traffic and the actual network connectivity behind it. So, someone please enlighten me on IPSec VPN and if traffic is able to be limited in any way.