Security Basics mailing list archives

RE: VPN overkill?

From: "Gary Freeman" <Gary.Freeman () rci rogers com>
Date: Wed, 17 Nov 2004 09:31:30 -0500

Ted, you aren't completely off your rocker (not that I know you :),

Since you guys sound like a Cisco shop, any of the Cisco 1700, 2600 or
3700 series Routers with 3DES IOS, or a PIX 501, 506e, 515e, or 525s
(with 3DES licensing) would suffice at the remote end.  You could even
consider a Linksys router (owned by Cisco).  

Any number of the following scenarios will work with your site:

Local----Remote
---------------
IOS <--> IOS
IOS <--> PIX
IOS <--> VPN3000
PIX <--> PIX
PIX <--> IOS
PIX <--> VPN3000
VPN3000 <--> VPN3000
VPN3000 <--> IOS
VPN3000 <--> PIX

If your future plans are to increase the number of sites connecting via
VPN, then you could consider the VPN 3000 Concentrator ($9-30K) at the
mother-site with the remote sites connecting using the Cisco 3002
hardware client with a built in 10/100 8 port switch (approx. $900).
This is usually for serious Enterprise deployment and requires big
bucks.

Another Enterprise option is a Cisco PIX 525 with a 3DES SEP card
running 3DES code ($10-20k) at the mother-site accepting IPSEC from the
remote sites who are equipped with either a PIX 506e also running 3DES
code ($2000) or 2600-3700 series routers.

Cisco has some great articles for connecting their equipment mix and
matched using IPSEC:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a00800941ea.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094498.shtml

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura
tion_example09186a0080094763.shtml

To find out more about what vendors equipment is VPN interoperable, go
to:
http://www.vpnc.org/detail-basic-interop.html


Gary


-----Original Message-----
From: Ted A [mailto:arcturous () hotmail com] 
Sent: Tuesday, November 16, 2004 5:17 PM
To: security-basics () securityfocus com
Subject: VPN overkill?

All,
First off, good fun reading this list. Some really great advice and good

thinkers on here. Thanks for the great questions and great answers.

So here's my issue. I have an IT infrastructure manager who has raised a

requirement I find myself questioning.
We have a goal of connecting a remote office to a central office via a
VPN. 
This manager insists that only acceptable way to accomplish this is by 
connecting 2 VPN concentrators. I debate this, noting that a PIX should
be 
more than capable of handling this connection at the remote office and
the 
only place the concentrator is needed is at the central office.
Am I completely off my rocker, thinking that a second concentrator for a

single connection is a little overboard?

Thoughts?
Thanks,
Ted

Current thread:

RE: VPN overkill?, (continued)
- RE: VPN overkill? Tom Milliner (Nov 17)
- RE: VPN overkill? David Gillett (Nov 17)
  - RE: VPN overkill? Ted A (Nov 18)
- RE: VPN overkill? Keith Bucknall (Nov 17)
- Re: VPN overkill? Jamie Schmidt (Nov 17)
- Re: VPN overkill? Gautam R. Singh (Nov 18)
- RE: VPN overkill? Thomas F. Szabo (Nov 17)
- RE: VPN overkill? Jim McBurnett (Nov 17)
- RE: VPN overkill? Ted A (Nov 17)
- RE: VPN overkill? Thomas F. Szabo (Nov 17)
- RE: VPN overkill? Gary Freeman (Nov 17)
- RE: VPN overkill? d'Ambly, Jeff (Nov 17)
- RE: VPN overkill? Jeff Gercken (Nov 17)
- RE: VPN overkill? Gary Freeman (Nov 17)
- RE: VPN overkill? Justin Acquaro (Nov 17)