Security Basics mailing list archives

RE: VPN overkill?

From: "Gary Freeman" <Gary.Freeman () rci rogers com>
Date: Wed, 17 Nov 2004 13:50:00 -0500

Ted,

Given the details that you've provided, why no just do IPSEC on the
gateway router at the remote site (depending on the router utilization)
to the VPN Concentrator at your central location?  Use Egress Filtering
on the router to ensure its not vulnerable and just route everything
destined for your central LAN down the tunnel.  Are you going to allow
split tunneling for web traffic or are you going to force everyone down
the tunnel so you can filter it at the central office?

If your standards enforce a defense in depth approach you can always put
a CVPN3002 or a PIX506e in a DMZ off of the gateway router and have your
router only allow IPSEC traffic into the DMZ. This way you can have your
inside interface connected directly to the LAN.

Cheers,

Gary Freeman
********************************************
This transmission may contain information
that is privileged, confidential and/or
exempt from disclosure under applicable law.
If you are not the intended recipient,
do not read the contents and
delete it immediately.
********************************************


-----Original Message-----
From: Ted A [mailto:arcturous () hotmail com] 
Sent: Tuesday, November 16, 2004 9:32 PM
To: tszabo () diamondtech net; security-basics () securityfocus com
Subject: RE: VPN overkill?

You're right about the details. How incredibly stupid of me.
The setup is pretty basic. It's going to be used for after hours backup 
uploads, and day time file access. Nothing too intensive. Roughly 10
people 
at the remote site, not more than 2 or 3 accessing resources on the
central 
server at a given time. Yes there will be servers on both ends.
There will not be any remote application usage.
It's the base of the basics.

From the initial planning it looks like the baseline bandwidth will be a

T1.

The basic setup is:
Remote Lan
Server
Border Router
PIX
{internet}
Concentrator
Router
Server
Central Lan
etc.....

Ted


<html><P>&nbsp;</P></html>



From: &quot;Thomas F. Szabo&quot; &lt;tszabo () diamondtech net&gt;
To: &quot;Ted A&quot; 
&lt;arcturous () hotmail com&gt;,&lt;security-basics () securityfocus com&gt;
Subject: RE: VPN overkill?
Date: Tue, 16 Nov 2004 21:21:03 -0500
MIME-Version: 1.0
Received: from mail.diamondtech.net ([216.182.48.84]) by 
mc12-f26.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 16 Nov
2004 
18:21:11 -0800
Received: from dt-mail.diamondtech.net ([192.168.197.252]) by 
mail.diamondtech.net with Microsoft SMTPSVC(6.0.3790.211); Tue, 16 Nov
2004 
21:22:38 -0500
X-Message-Info: JGTYoYF78jHOc4vHP2LNwcUF3+U5M0GN
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Message-ID: 
&lt;2A1FEB926FF75746B6E64B86BB3B41F224835D () dt-mail diamondtech net&gt;
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: VPN overkill?
Thread-Index: AcTMSUHVez2eRT4cRV2tY//Ewmw99gAAVTzg
Return-Path: tszabo () diamondtech net
X-OriginalArrivalTime: 17 Nov 2004 02:22:38.0147 (UTC) 
FILETIME=[4E995930:01C4CC4C]

Hi,

You're right this is a great list.  I think a PIX at the remote end will
probably be sufficient.  I say probably because you didn't offer too
many details on the scenario.  A few questions I would ask are:  How
many user's at the remote site, what type of apps., what are they
connecting to, will there be servers at both sites, what type of
bandwidth are we talking about, etc.?  Depending on how much traffic
we're talking about you might want to consider offloading the encryption
from the PIX to another concentrator.  But like I said a PIX will
probably be sufficient for a lan to lan back to your main concentrator
at the main office.


Tom Szabo

-----Original Message-----
From: Ted A [mailto:arcturous () hotmail com]
Sent: Tuesday, November 16, 2004 5:17 PM
To: security-basics () securityfocus com
Subject: VPN overkill?

All,
First off, good fun reading this list. Some really great advice and good

thinkers on here. Thanks for the great questions and great answers.

So here's my issue. I have an IT infrastructure manager who has raised a

requirement I find myself questioning.
We have a goal of connecting a remote office to a central office via a
VPN.
This manager insists that only acceptable way to accomplish this is by
connecting 2 VPN concentrators. I debate this, noting that a PIX should
be
more than capable of handling this connection at the remote office and
the
only place the concentrator is needed is at the central office.
Am I completely off my rocker, thinking that a second concentrator for a

single connection is a little overboard?

Thoughts?
Thanks,
Ted

Current thread:

RE: VPN overkill?, (continued)
- RE: VPN overkill? Keith Bucknall (Nov 17)
- Re: VPN overkill? Jamie Schmidt (Nov 17)
- Re: VPN overkill? Gautam R. Singh (Nov 18)
- RE: VPN overkill? Thomas F. Szabo (Nov 17)
- RE: VPN overkill? Jim McBurnett (Nov 17)
- RE: VPN overkill? Ted A (Nov 17)
- RE: VPN overkill? Thomas F. Szabo (Nov 17)
- RE: VPN overkill? Gary Freeman (Nov 17)
- RE: VPN overkill? d'Ambly, Jeff (Nov 17)
- RE: VPN overkill? Jeff Gercken (Nov 17)
- RE: VPN overkill? Gary Freeman (Nov 17)
- RE: VPN overkill? Justin Acquaro (Nov 17)