RE: Which Router as a VPN concentrator
From: David Duncon (david_ccie@hotmail.com)
Date: Thu Aug 05 2004 - 03:19:08 GMT-3
Appreciate your help, Mark.
David.
>From: "Mark Lewis" <mark@mjlnet.com>
>Reply-To: <mark@mjlnet.com>
>To: "David Duncon" <david_ccie@hotmail.com>
>Subject: RE: Which Router as a VPN concentrator
>Date: Wed, 4 Aug 2004 20:22:48 +0100
>
>David,
>
>Without knowing all of the details of your network, I couldn't comment as
>to
>specific solutions, but deploying a VPN router/concentrator is the very
>good
>solution for all remote access needs. IOS routers support IPsec/L2TP/and
>PPTP for remote access, and VPN concentrators support Ipsec/L2TP/PPT/and
>SSL
>(v3 of which is very similar to TLS, as you know) for remote access. People
>often go for the VPN concentrator for remote access because it is
>specifically designed for that purpose.
>
>HTH.
>
>
>Mark
>
>CCIE#6280 / CCSI#21051 / etc.
>
>Author: www.ciscopress.com/1587051044
>
>
>
>
>-----Original Message-----
>From: David Duncon [mailto:david_ccie@hotmail.com]
>Sent: 04 August 2004 05:03
>To: mark@mjlnet.com
>Cc: ccielab@groupstudy.com
>Subject: Re: Which Router as a VPN concentrator
>
>
>A valuable tip, Mark. Thanks.
>
>I may go for Cisco VPN clients (over windows PPTP/L2TP) simply to retain
>their inbuilt authentication.
>
>Secondly I was wondering, what do you think about *TLS* (transport layer
>security)encryption.Becasue I am thinking instead of deploying the data
>encryption at L3 , we can enable security from L4 to L7 with the help of
>TLS. And our E-commerce application which will be having shortly (is
>currently under production on .Net platform) can incorporate TLS code and
>that way Application itself can intelligent enough to offer required
>encryption. But only problem I gather is the related *CPU load* ( as TLS is
>CPU intensive) on the web server which houses this application. In that
>case
>is it economically/technically viable option to deploy a *content switch*
>in
>the front end who will be off loading the TLS related CPU load from Web
>sever and also carry a round robin work on the back end dual web severs.
>
>Regarding question of whether to use a Router or a VPN 3K box for
>terminating incoming sessions, I think I am going to bat for VPN 3K box
>because it is not only a neater solution but also it can offer us much more
>control in defining user profiles.
>
>So I think I got 2 options here:
>
>Option 1: Deploy a VPN 3K box in parallel with our current CPNG behind the
>Internet perimeter router and force all Ingress eCommerce sessions to use
>Cisco VPN clients.+ ves = neater solution and can marry independent user
>profile to each user on what they can and what they can't do after they
>come
>in. -ves = Little expensive
>
>Option 2: Encourage our Apps Development Team to look in to incorporating
>TLS in their coding with out relying upon the lower layer enforced
>security. As all client machines do have IE , so they can easily work with
>tls I guess. +ves = cheaper than Option one and the only cost is "coder's"
>man hours and more centralized approach with out necessarily relying upon
>lower layers.-ves = may be prone to security hacks as it is embedded with
>in
>Apps.
>
>
>Your input is much appreciated.
>
>David..
>
>
>
> >From: "Mark Lewis" <mark@mjlnet.com>
> >Reply-To: <mark@mjlnet.com>
> >To: <david_ccie@hotmail.com>
> >CC: <ccielab@groupstudy.com>
> >Subject: Re: Which Router as a VPN concentrator
> >Date: Wed, 4 Aug 2004 00:12:16 +0100
> >
> >
> >
> >1. Here's a good *starting point* for selecting your router:
> >
> >http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.h
>t
> >ml
> >
> >2. As far as IPsec remote access is concerned, you can just use Cisco VPN
> >client for your mobile users (Windows native IPsec does not support
>XAuth,
> >if I remember correctly, but the Cisco VPN client does of course).
> >
> >3. IOS routers can terminate L2TP and PPTP tunnels/sessions from Windows
> >based clients. Windows boxes use L2TP over IPsec and use IKE digital
> >signature authentication by default, though you can off IPsec/use
> >pre-shared
> >key authentication if you want (but carefully consider the security
> >implications before you decide to do that).
> >
> >HTH.
> >
> >
> >Mark
> >
> >CCIE#6280 / CCSI#21051 / etc.
> >
> >Author: www.ciscopress.com/1587051044
> >
> >
> >
> >
> > >From: "David Duncon" <david_ccie@hotmail.com>
> > >Reply-To: "David Duncon" <david_ccie@hotmail.com>
> > >To: ccielab@groupstudy.com
> > >Subject: Which Router as a VPN concentrator
> > >Date: Tue, 03 Aug 2004 20:54:29 +0800
> > >
> > >Hi Group,
> > >
> > >I got a design requirement where we need to facilitate "encryption"
> > >of both *ingress* as well as *egress* ecommerce session (may be
> > >around 400 concurrent sessions) through our Corporate Internet pipe.
> > >At the moment we got a 2651MX doing the job at Internet perimeter
> > >and Check Point taking care about the activity behind the 2651MX
> > >where our DMZs are located. And the requirement is also demands to
> > >centralize the various VPN client s/w we use and it is all over the
> > >shop at the moment like Cisco VPN clients (getting terminated on to
> > >a VPN 3K box) , Check Point secure remote (getting terminated on
> > >CPNG) and Web enabled NFUSE (serviced by backend Citrix farm)..etc.
> > >
> > >I am thinking on following lines and I really appreciate if some one
> > >point me in the right direction.
> > >
> > >Initially we were thinking to deploy a Cisco VPN 3K concentrator to
> > >service all these "400" odd mobile user IPSec sessions. But later
> > >because of Layer 8 (political :-) ) and also to certain extent
> > >costs, we got to deploy a Router instead to the job of both Routing
> > >as well as VPN concentrator. And we are thinking about a 3600 series
> > >box as it can be a better VPN concentrator (???) than 2600s and then
> > >encourage all of our mobile users to use a single client s/w to come
> > >in the corporate WAN.
> > >
> > >Now I am unsure about following aspects.
> > >
> > >- What Router is best suited for this task ?
> > >- Since we are building/proposing a mobile user to Router IPSec
> > >sessions , what S/W our client machines can use ?
> > >- Can a Windows based L2TP or PPTP VPN client sessions can be
> > >terminated on a 3600s Router/VPN concentrator ?
> > >
> > >Thanks for any pointers.
> > >
> > >David.
> > >
> > >_________________________________________________________________
> > >10,000 children need sponsors � change a life:
> >
> >http://ad.au.doubleclick.net/clk;9294008;9739733;y?http://www.worldvision.c
> >om.au/childsponsorship/search/child_search.asp?om=1
> > >
> > >_______________________________________________________________________
> > >Please help support GroupStudy by purchasing your study materials
> > >from:
> > >http://shop.groupstudy.com
> > >
> > >Subscription information may be found at:
> > >http://www.groupstudy.com/list/CCIELab.html
> >
>
>_________________________________________________________________
>10,000 children need sponsors � change a life:
>http://ad.au.doubleclick.net/clk;9294008;9739733;y?http://www.worldvision.co
>m.au/childsponsorship/search/child_search.asp?om=1
>
This archive was generated by hypermail 2.1.4
: Fri Sep 03 2004 - 07:02:33 GMT-3