RE: VPN overkill?
From: Gary Freeman (Gary.Freeman_at_rci.rogers.com)
Date: 11/17/04
- Previous message: Dante Mercurio: "RE: Information Securily papers"
- Maybe in reply to: Ted A: "VPN overkill?"
- Next in thread: Keith Bucknall: "RE: VPN overkill?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 17 Nov 2004 09:31:30 -0500 To: <security-basics@securityfocus.com>
Ted, you aren't completely off your rocker (not that I know you :),
Since you guys sound like a Cisco shop, any of the Cisco 1700, 2600 or
3700 series Routers with 3DES IOS, or a PIX 501, 506e, 515e, or 525s
(with 3DES licensing) would suffice at the remote end. You could even
consider a Linksys router (owned by Cisco).
Any number of the following scenarios will work with your site:
Local----Remote
---------------
IOS <--> IOS
IOS <--> PIX
IOS <--> VPN3000
PIX <--> PIX
PIX <--> IOS
PIX <--> VPN3000
VPN3000 <--> VPN3000
VPN3000 <--> IOS
VPN3000 <--> PIX
If your future plans are to increase the number of sites connecting via
VPN, then you could consider the VPN 3000 Concentrator ($9-30K) at the
mother-site with the remote sites connecting using the Cisco 3002
hardware client with a built in 10/100 8 port switch (approx. $900).
This is usually for serious Enterprise deployment and requires big
bucks.
Another Enterprise option is a Cisco PIX 525 with a 3DES SEP card
running 3DES code ($10-20k) at the mother-site accepting IPSEC from the
remote sites who are equipped with either a PIX 506e also running 3DES
code ($2000) or 2600-3700 series routers.
Cisco has some great articles for connecting their equipment mix and
matched using IPSEC:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a00800941ea.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094498.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094763.shtml
To find out more about what vendors equipment is VPN interoperable, go
to:
http://www.vpnc.org/detail-basic-interop.html
Gary
-----Original Message-----
From: Ted A [mailto:arcturous@hotmail.com]
Sent: Tuesday, November 16, 2004 5:17 PM
To: security-basics@securityfocus.com
Subject: VPN overkill?
All,
First off, good fun reading this list. Some really great advice and good
thinkers on here. Thanks for the great questions and great answers.
So here's my issue. I have an IT infrastructure manager who has raised a
requirement I find myself questioning.
We have a goal of connecting a remote office to a central office via a
VPN.
This manager insists that only acceptable way to accomplish this is by
connecting 2 VPN concentrators. I debate this, noting that a PIX should
be
more than capable of handling this connection at the remote office and
the
only place the concentrator is needed is at the central office.
Am I completely off my rocker, thinking that a second concentrator for a
single connection is a little overboard?
Thoughts?
Thanks,
Ted
- Previous message: Dante Mercurio: "RE: Information Securily papers"
- Maybe in reply to: Ted A: "VPN overkill?"
- Next in thread: Keith Bucknall: "RE: VPN overkill?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
