?

Log in

[icon] dynamic IPSEC solutions - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.

Security:
Subject:dynamic IPSEC solutions
Time:11:09 am
Current Mood:curiouscurious
The CIO at my company recently approached me asking for ways to encrypt ALL data going out over our WAN/between our branch locations. We have recently migrated from a frame relay network to a Metro Ethernet/MPLS combo allowing our remote branches to communicate directly with each other, bypassing the corporate hub. I am looking for something that would allow me to dynamically create IPSEC tunnels between all of my locations on the WAN.

Cisco's DMVPN solution seems to fit what we want, but I'm wondering if anyone else offers a similar solution.


x-posted
comments: Leave a comment Previous Entry Share Next Entry


discogravy
Link:(Link)
Time:2007-04-11 08:10 pm (UTC)
why dynamic, are your addresses going to change?

juniper/netscreen's FW/VPN products allow dynamic IPsec vpns -- you do have to have netscreens on both sides though; essentially instead of using ip address/preshared key combo (etc) to identify the remote peer, they have a setting for hostname which takes place of the ip address (and doesn't actually have to be a valid hostname in DNS); it's basically meant for DSL and Cable customers that wind up getting public addresses via DHCP now and again...depending on the # of users/tunnels you need they can be pricey, but they're competitive w/ cisco.

alternately you might want to try setting up an ssl vpn (http://openvpn.net/)
(Reply) (Thread)


cracnup
Link:(Link)
Time:2007-04-11 08:24 pm (UTC)
I'm working with 22 manned locations, and 12 unmanned locations. setting up all of the tunnels between those sites could get hairy. Adding additional sites would suck, as well.
By dynamic, I'm talking more from a setting up of tunnels type thing. Without DMVPN, I can create tunnels from Branch A to Branches B through X and tunnels from Branch B to Branches A through X, etc. There is just a ton of admin overhead for that. I'm looking for something that will allow me to add a host to a central database or central management console and allow it to dynamically create IPSEC tunnels to any other site listed in the console.

From the looks of it, we aren't going to be able to do this for under $60k
(Reply) (Parent) (Thread)


discogravy
Link:(Link)
Time:2007-04-11 08:31 pm (UTC)
I'd call up Juniper and Cisco; possibly the Cisco ASA could do it, and the Junipers could do it (but you'd have to shell out an extra 1-3K$ for the NSM (netscreen manager -- sits on a seperate server) to manage all the boxes in one go. It's really very dependent on your network layout.
(Reply) (Parent) (Thread)


cracnup
Link:(Link)
Time:2007-04-11 10:00 pm (UTC)
We have a Cisco 6500 sitting at our corp location. Cisco offers an IPSEC/VPN blade that will allow it to act as a central point in a DMVPN solution.

That's most likely the direction I am going to take. I just wanted ot see what else is out there.
(Reply) (Parent) (Thread)


discogravy
Link:(Link)
Time:2007-04-12 03:36 am (UTC)
any kind of security/encryption on cisco equip tends to slow them down -- it's usually not a worry unless you're doing a bunch of other stuff on the same box, but if you have a star topo ("router on a stick" model) and yr 65xx is doing a lot of heavy lifting already, it could choke it good and hard.
(Reply) (Parent) (Thread)


cracnup
Link:(Link)
Time:2007-04-12 08:24 pm (UTC)
we're doing some routing and vlan management from the 6500, but I've never seen the cpu go higher than 3%. The IPSEC/encryption blade should offload all of the system overhead for that if we need it. From what I've heard/read, most of the Cisco gear will be able to handle a couple hundred tunnels before it starts to see much of a slow down.

I'm definitely going to try this out in a lab first. I appreciate the info!
(Reply) (Parent) (Thread)


jope
Link:(Link)
Time:2007-04-11 09:39 pm (UTC)
Also check out WatchGuard's line. You can likely get by with the substantially les expensive Edge units 9avoid the SOHO, it's a stale platform) for the unmanned locations and possibly some/most of the manned locations.
(Reply) (Thread)


cracnup
Link:(Link)
Time:2007-04-11 10:01 pm (UTC)
I'll look into it. Thank you!
(Reply) (Parent) (Thread)


zastrazzi
Link:(Link)
Time:2007-04-11 10:11 pm (UTC)
We just went with Cisco DMVPN solution ourselves to resolve exactly that overhead issue in connecting a *lot* of remote sites. So far it's handling it beautifully with a variety of link types - satellite, point to point wireless, dsl and fibre.

Basically a hub and spoke design, where the spokes can dynamically build tunnels between each other when needed. I'm not the implementer of this particular project, but the guy who is is pretty happy with it.
(Reply) (Thread)


cracnup
Link:(Link)
Time:2007-04-11 10:22 pm (UTC)
We just put close to a million dollars into a new WAN/VoIP roll out with cisco gear. We're also looking into adding an additional 6500 chassis at our core site. The DMVPN solution ties into the 6500 very well, and that is my preference. I just wanted to make sure I knew of any other possible solutions before I presented to management.

I'm glad to hear that someone's using it successfully and is happy with it.
(Reply) (Parent) (Thread)


g_martin_blank
Link:(Link)
Time:2007-04-13 02:44 am (UTC)
DiscoGravy's got the right idea: Juniper NS5GTs and NetScreen Manager. NSM will run on a RHEL server, and gives centralized management & logging. Very much the tool to have in a dynamic & growing business. The 5GTs are about $1k each, and the NSM software is about $2 - 3K plus a server.

Good luck,
Gary
(Reply) (Thread)

[icon] dynamic IPSEC solutions - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.