Risks associated to branch office IPSec devices

[Rodrigo Blanco <rodrigo.blanco.r () gmail com>]

Hello list,

I have just come across a doubt about branch office VPN devices.
Normally, they are used so that a branch office's network - typically
with a private addressing scheme - can securely connect to the
headquarters' central network.

Such VPN devices normally do not include a firewall, so I was
wondering if this really represents a risk:

Yes - it is a risk if the VPN device just acts as a router (no ACLs)
and is attached to the Internet.
No - because the addressing scheme behind it is private, hence
non-routable, hence unreachable across the Internet (internet routers
would drop packets with such destinations?)

The only real risk I see is if the VPN device is cracked, and from
there the security of the whole network (both brach office and
headquarters) is exposed. Am I right?

Any ideas would be more than welcome. Thanks in advance for your
advice and best regards,

Rodrigo.