Security Basics mailing list archives
Re: Secure WAN Setup (Possibly off topic?)
From: Bennett Todd <bet () rahul net>
Date: Mon, 17 Mar 2003 13:15:58 -0500
2003-03-06T13:30:42 Chris Berry:
The budget for this setup is probably less than $5000 though thats still a grey area.
If that budget includes costs for initial setup and first year for the WAN connectivity, I think you've run out of choices --- I don't think you're going to be using any sort of leased lines, not even frac T1, for that kind of price. Maybe, possibly ISDN, if you have someone with the special black magic voodoo dolls required to coerce your local telco to deliver that service.
I need to decide if both organizations should continue sharing a main database, or if the second organization should purchase their own.
That would depend on details you haven't mentioned --- possible security motivations, and performance questions, which would depend greatly on application architecture and middleware choices.
Leased line or Internet VPN?
That's easily identified as pure cost -vs- performance tradeoff. It's pretty easy to get a leased line that delivers better performance than the internet, the internet isn't really all that fast; and the internet at large has no service level commitment, whereas it's not hard to find leased line arrangements where the vendor delivers a hard commitment to certain performance levels (although, as always, if it comes to a trip to court, whoever can afford the bigger lawyers, wins, so if the connectivity provider is big enough that you're confident that they'll still be in business in a couple of years, you probably can't afford to enforce any SLA commitment --- and they know it). If your office can tolerate the typical Service Levels (works well enough for small office VPN 99% of the time is not a bad guess) for the Internet, or if you can't afford a leased line, then it's an easy choice. Whether you use a leased line or internet, a VPN would be a good idea; that puts entire control over the transit security in your hands. For this, I'd recommend going with a platform you're comfortable with. Establishing and maintaining an interoffice VPN link is a little intimidating the first time you try it (although once you get it working it should just work and work and work, you can forget it's even there); why add extra stress from an unfamiliar platform. I've done this before, four offices, somewhat larger than your setup; did it with FreeS/WAN on Red Hat Linux, worked like a champ. If I were doing the same thing now --- deploying Linux boxes as firewall/internet-server/interoffice-vpn combo appliances, I'd do it with Red Hat 7.3 using CIPE --- CIPE is specialized for this role, whereas IPSec (the protocol implemented by FreeS/WAN) was designed to solve every conceivable problem that anybody in the room could dream of, even when they were hung over. It shows. -Bennett
Attachment:
_bin
Description:
Current thread:
- Secure WAN Setup (Possibly off topic?) Chris Berry (Mar 07)
- Re: Secure WAN Setup (Possibly off topic?) David M. Fetter (Mar 08)
- RE: Secure WAN Setup (Possibly off topic?) Duston Sickler (Mar 17)
- Re: Secure WAN Setup (Possibly off topic?) Bennett Todd (Mar 18)