Re: Which Router as a VPN concentrator
From: David Duncon (david_ccie@hotmail.com)
Date: Wed Aug 04 2004 - 01:02:38 GMT-3
A valuable tip, Mark. Thanks.
I may go for Cisco VPN clients (over windows PPTP/L2TP) simply to retain
their inbuilt authentication.
Secondly I was wondering, what do you think about *TLS* (transport layer
security)encryption.Becasue I am thinking instead of deploying the data
encryption at L3 , we can enable security from L4 to L7 with the help of
TLS. And our E-commerce application which will be having shortly (is
currently under production on .Net platform) can incorporate TLS code and
that way Application itself can intelligent enough to offer required
encryption. But only problem I gather is the related *CPU load* ( as TLS is
CPU intensive) on the web server which houses this application. In that case
is it economically/technically viable option to deploy a *content switch* in
the front end who will be off loading the TLS related CPU load from Web
sever and also carry a round robin work on the back end dual web severs.
Regarding question of whether to use a Router or a VPN 3K box for
terminating incoming sessions, I think I am going to bat for VPN 3K box
because it is not only a neater solution but also it can offer us much more
control in defining user profiles.
So I think I got 2 options here:
Option 1: Deploy a VPN 3K box in parallel with our current CPNG behind the
Internet perimeter router and force all Ingress eCommerce sessions to use
Cisco VPN clients.+ ves = neater solution and can marry independent user
profile to each user on what they can and what they can't do after they come
in. -ves = Little expensive
Option 2: Encourage our Apps Development Team to look in to incorporating
TLS in their coding with out relying upon the lower layer enforced
security. As all client machines do have IE , so they can easily work with
tls I guess. +ves = cheaper than Option one and the only cost is "coder's"
man hours and more centralized approach with out necessarily relying upon
lower layers.-ves = may be prone to security hacks as it is embedded with in
Apps.
Your input is much appreciated.
David..
>From: "Mark Lewis" <mark@mjlnet.com>
>Reply-To: <mark@mjlnet.com>
>To: <david_ccie@hotmail.com>
>CC: <ccielab@groupstudy.com>
>Subject: Re: Which Router as a VPN concentrator
>Date: Wed, 4 Aug 2004 00:12:16 +0100
>
>
>
>1. Here's a good *starting point* for selecting your router:
>
>http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.ht
>ml
>
>2. As far as IPsec remote access is concerned, you can just use Cisco VPN
>client for your mobile users (Windows native IPsec does not support XAuth,
>if I remember correctly, but the Cisco VPN client does of course).
>
>3. IOS routers can terminate L2TP and PPTP tunnels/sessions from Windows
>based clients. Windows boxes use L2TP over IPsec and use IKE digital
>signature authentication by default, though you can off IPsec/use
>pre-shared
>key authentication if you want (but carefully consider the security
>implications before you decide to do that).
>
>HTH.
>
>
>Mark
>
>CCIE#6280 / CCSI#21051 / etc.
>
>Author: www.ciscopress.com/1587051044
>
>
>
>
> >From: "David Duncon" <david_ccie@hotmail.com>
> >Reply-To: "David Duncon" <david_ccie@hotmail.com>
> >To: ccielab@groupstudy.com
> >Subject: Which Router as a VPN concentrator
> >Date: Tue, 03 Aug 2004 20:54:29 +0800
> >
> >Hi Group,
> >
> >I got a design requirement where we need to facilitate "encryption"
> >of both *ingress* as well as *egress* ecommerce session (may be
> >around 400 concurrent sessions) through our Corporate Internet pipe.
> >At the moment we got a 2651MX doing the job at Internet perimeter
> >and Check Point taking care about the activity behind the 2651MX
> >where our DMZs are located. And the requirement is also demands to
> >centralize the various VPN client s/w we use and it is all over the
> >shop at the moment like Cisco VPN clients (getting terminated on to
> >a VPN 3K box) , Check Point secure remote (getting terminated on
> >CPNG) and Web enabled NFUSE (serviced by backend Citrix farm)..etc.
> >
> >I am thinking on following lines and I really appreciate if some one
> >point me in the right direction.
> >
> >Initially we were thinking to deploy a Cisco VPN 3K concentrator to
> >service all these "400" odd mobile user IPSec sessions. But later
> >because of Layer 8 (political :-) ) and also to certain extent
> >costs, we got to deploy a Router instead to the job of both Routing
> >as well as VPN concentrator. And we are thinking about a 3600 series
> >box as it can be a better VPN concentrator (???) than 2600s and then
> >encourage all of our mobile users to use a single client s/w to come
> >in the corporate WAN.
> >
> >Now I am unsure about following aspects.
> >
> >- What Router is best suited for this task ?
> >- Since we are building/proposing a mobile user to Router IPSec
> >sessions , what S/W our client machines can use ?
> >- Can a Windows based L2TP or PPTP VPN client sessions can be
> >terminated on a 3600s Router/VPN concentrator ?
> >
> >Thanks for any pointers.
> >
> >David.
> >
> >_________________________________________________________________
> >10,000 children need sponsors � change a life:
> >http://ad.au.doubleclick.net/clk;9294008;9739733;y?http://www.worldvision.c
>om.au/childsponsorship/search/child_search.asp?om=1
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials
> >from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
This archive was generated by hypermail 2.1.4
: Fri Sep 03 2004 - 07:02:32 GMT-3