RE: VPN overkill?

["Ted A" <arcturous () hotmail com>]

You're right about the details. How incredibly stupid of me.
The setup is pretty basic. It's going to be used for after hours backup 
uploads, and day time file access. Nothing too intensive. Roughly 10 people 
at the remote site, not more than 2 or 3 accessing resources on the central 
server at a given time. Yes there will be servers on both ends.
There will not be any remote application usage.
It's the base of the basics.

> From the initial planning it looks like the baseline bandwidth will be a T1.

The basic setup is:
Remote Lan
Server
Border Router
PIX
{internet}
Concentrator
Router
Server
Central Lan
etc.....

Ted


<html><P>&nbsp;</P></html>



From: &quot;Thomas F. Szabo&quot; &lt;tszabo () diamondtech net&gt;
To: &quot;Ted A&quot; 
&lt;arcturous () hotmail com&gt;,&lt;security-basics () securityfocus com&gt;
Subject: RE: VPN overkill?
Date: Tue, 16 Nov 2004 21:21:03 -0500
MIME-Version: 1.0
Received: from mail.diamondtech.net ([216.182.48.84]) by 
mc12-f26.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Nov 2004 
18:21:11 -0800
Received: from dt-mail.diamondtech.net ([192.168.197.252]) by 
mail.diamondtech.net with Microsoft SMTPSVC(6.0.3790.211); Tue, 16 Nov 2004 
21:22:38 -0500
X-Message-Info: JGTYoYF78jHOc4vHP2LNwcUF3+U5M0GN
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Message-ID: 
&lt;2A1FEB926FF75746B6E64B86BB3B41F224835D () dt-mail diamondtech net&gt;
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: VPN overkill?
Thread-Index: AcTMSUHVez2eRT4cRV2tY//Ewmw99gAAVTzg
Return-Path: tszabo () diamondtech net
X-OriginalArrivalTime: 17 Nov 2004 02:22:38.0147 (UTC) 
FILETIME=[4E995930:01C4CC4C]

Hi,

You're right this is a great list.  I think a PIX at the remote end will
probably be sufficient.  I say probably because you didn't offer too
many details on the scenario.  A few questions I would ask are:  How
many user's at the remote site, what type of apps., what are they
connecting to, will there be servers at both sites, what type of
bandwidth are we talking about, etc.?  Depending on how much traffic
we're talking about you might want to consider offloading the encryption
from the PIX to another concentrator.  But like I said a PIX will
probably be sufficient for a lan to lan back to your main concentrator
at the main office.


Tom Szabo

-----Original Message-----
From: Ted A [mailto:arcturous () hotmail com]
Sent: Tuesday, November 16, 2004 5:17 PM
To: security-basics () securityfocus com
Subject: VPN overkill?

All,
First off, good fun reading this list. Some really great advice and good

thinkers on here. Thanks for the great questions and great answers.

So here's my issue. I have an IT infrastructure manager who has raised a

requirement I find myself questioning.
We have a goal of connecting a remote office to a central office via a
VPN.
This manager insists that only acceptable way to accomplish this is by
connecting 2 VPN concentrators. I debate this, noting that a PIX should
be
more than capable of handling this connection at the remote office and
the
only place the concentrator is needed is at the central office.
Am I completely off my rocker, thinking that a second concentrator for a

single connection is a little overboard?

Thoughts?
Thanks,
Ted