cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1056
Views
0
Helpful
7
Replies

VPN + Frame Relay WAN

edwong
Level 1
Level 1

My company is now using a frame relay network as the corporate WAN. As the company expands, the WAN needs to cover more and more locations where frame relay is too expensive. So we start to use a PIX-to-PIX VPN solution to connect new site together. What make me worried about is that because the new site is having their own local ISP and we cannot control the internet access of those new sites, there is a possibility that hacker can go to our frame relay network through the VPN connection.

What is the most effective way to secure a mixed WAN.

Thanks.

edwin

7 Replies 7

MickPhelps
Level 1
Level 1

This is more of a security question than a frame relay, so someone correct me if I go astray.

You're doing the right thing already. If you've implemented the PIXs (PIXen?;) properly and created VPNs to connect your remote offices via the Internet, your WAN should be fairly secure.

The purpose of a VPN is to allow traffic to traverse unhindered and encrypted from the inside interface of one PIX to the inside interface of the other PIX. There are also mechanisms in the VPN software that prevent Internet users from forging your VPN packets.

Since the VPN traffic is encrypted and non-forgable, and the VPN goes from the inside interface of one PIX to the inside of the other PIX, *and* if your PIXs have been configured properly to provide security, your overall WAN solution sounds decent.

My advice to you if you have concerns over security is to contact a security consultant to review your configuration. There may be things that I can't see like misconfigured access-lists, conduits, NAT, etc...

Mick.

Thanks Mick,

But should I use my existing PIX to connect our remote site together, or i should buy another VPN device sitting beside the PIX? I wonder if pix 515 will have any problem. If it sits beside the Pix, i may get some routing problem too...

please advice.

You haven't mentioned the WAN speeds you're running at so I'll assume T-1 or less.

These speeds shouldn't have any noticable overhead on the PIX-515 using DES/3DES VPNs. However, you didn't mention how many VPN tunnels you need to support either.

I would run the VPN over the 515, and depending on the level of security necessary, use 3DES unless it becomes a performance issue then either scale back to DES or implement a higher end solution.

Mick.

I have to connect 4 sites with our regional hub. Each site will have less than 100 users. Do you think it is feasible if i put a VPN 3005/3030 in parallel with the PIX in the central site, and put a 505 PIX in each site. So far i see i can use several methods to connect sites together in a hub-and-spoke topology, but not sure which is the most cost effective and stable one.

Thanks.

By the way, the link connecting the PIX to the internet is T1 now.

Thanks.

If you only have a T1 comming in right now, I would just tunnel directly from the PIX at the central site to the PIXen at the remote sites.

Mick.

yes, this may be the most cost effective way. But as far as i know, PIX is not a router, it cannot route traffic between remote sites if i connect them using PIX in the central site. That's why i need to consider other devices.

Review Cisco Networking for a $25 gift card