?

Log in

[icon] dynamic IPSEC solutions - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.

Security:
Subject:dynamic IPSEC solutions
Time:11:09 am
Current Mood:curiouscurious
The CIO at my company recently approached me asking for ways to encrypt ALL data going out over our WAN/between our branch locations. We have recently migrated from a frame relay network to a Metro Ethernet/MPLS combo allowing our remote branches to communicate directly with each other, bypassing the corporate hub. I am looking for something that would allow me to dynamically create IPSEC tunnels between all of my locations on the WAN.

Cisco's DMVPN solution seems to fit what we want, but I'm wondering if anyone else offers a similar solution.


x-posted
comments: Leave a comment Previous Entry Share Next Entry


cracnup
Link:(Link)
Time:2007-04-11 08:24 pm (UTC)
I'm working with 22 manned locations, and 12 unmanned locations. setting up all of the tunnels between those sites could get hairy. Adding additional sites would suck, as well.
By dynamic, I'm talking more from a setting up of tunnels type thing. Without DMVPN, I can create tunnels from Branch A to Branches B through X and tunnels from Branch B to Branches A through X, etc. There is just a ton of admin overhead for that. I'm looking for something that will allow me to add a host to a central database or central management console and allow it to dynamically create IPSEC tunnels to any other site listed in the console.

From the looks of it, we aren't going to be able to do this for under $60k
(Reply) (Parent) (Thread)


discogravy
Link:(Link)
Time:2007-04-11 08:31 pm (UTC)
I'd call up Juniper and Cisco; possibly the Cisco ASA could do it, and the Junipers could do it (but you'd have to shell out an extra 1-3K$ for the NSM (netscreen manager -- sits on a seperate server) to manage all the boxes in one go. It's really very dependent on your network layout.
(Reply) (Parent) (Thread)


cracnup
Link:(Link)
Time:2007-04-11 10:00 pm (UTC)
We have a Cisco 6500 sitting at our corp location. Cisco offers an IPSEC/VPN blade that will allow it to act as a central point in a DMVPN solution.

That's most likely the direction I am going to take. I just wanted ot see what else is out there.
(Reply) (Parent) (Thread)


discogravy
Link:(Link)
Time:2007-04-12 03:36 am (UTC)
any kind of security/encryption on cisco equip tends to slow them down -- it's usually not a worry unless you're doing a bunch of other stuff on the same box, but if you have a star topo ("router on a stick" model) and yr 65xx is doing a lot of heavy lifting already, it could choke it good and hard.
(Reply) (Parent) (Thread)


cracnup
Link:(Link)
Time:2007-04-12 08:24 pm (UTC)
we're doing some routing and vlan management from the 6500, but I've never seen the cpu go higher than 3%. The IPSEC/encryption blade should offload all of the system overhead for that if we need it. From what I've heard/read, most of the Cisco gear will be able to handle a couple hundred tunnels before it starts to see much of a slow down.

I'm definitely going to try this out in a lab first. I appreciate the info!
(Reply) (Parent) (Thread)

[icon] dynamic IPSEC solutions - Information Security
View:Recent Entries.
View:Archive.
View:Friends.
View:Profile.