Solved: Establishing a site-to-site VPN with routers...insecure?

jtillman11 · ‎07-03-2018

Is it insecure to establish a site-to-site VPN between two routers directly connected to the internet? I was told a security appliance, rather than just a router, should be used to establish the VPN on both ends. The reasoning was that although the encrypted traffic is protected, the router itself (being connected to the internet) is susceptible to attacks (like DoS) that a router is not made to handle like a security appliance is.

Joseph W. Doherty · ‎07-05-2018

"Would the fact that the router in question is a 1941 with ipbasek9 license only (15.1.4) be concern?"

Somewhat, in regards to what you can filter coming in.

However, as to protecting the router, itself, you could block all traffic but your expected VPN traffic. (Your ISP engineer sort of touches on this.)

Basically, a router that's been configured to be "hardened" (Cisco and some other security sites note how), should be secure. That said, some kinds of attacks, like some DoS attacks, can fill the link to your device, and whether it's a router or a special security device, isn't going to make much of a difference.

View solution in original post

Georg Pauwen · ‎07-03-2018

Hello,

you will find literally millions of VPNs established between routers directly connected to the Internet. A (Cisco) router with encryption software is in fact a fully functional security appliance.

jtillman11 · ‎07-03-2018

This is what I was thinking...So a Cisco router can withstand and deal with attacks to the device, such as DoS, just as well as a security appliance such as an ASA or Palo Alto?

This was the message I received from the engineer

"Just keep in mind that your router will be touching raw internet, so it will be susceptible to all attacks and vulnerabilities. We can write an ACL to only allow the IKE establishment between the tunnels (which I highly recommend if this will be the design), but the router itself will still be vulnerable."

Georg Pauwen · ‎07-03-2018

Hello,

ASA or Palo Alto are dedicated security appliances that certainly offer more control, but IOS routers are deemed safe enough, provided you have configured it correctly. There are tons of documents out there such as the one below describing the multiple ways to secure an Internet router

Cisco Guide to Harden Cisco IOS Devices

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

Dennis Mink · ‎07-03-2018

the only thing I would like to add to what George said, is that a router will not be able to do the more advanced security inspection like IOS and Advance Malware protection, that for instance Firepower NGIPS can.

Please remember to rate useful posts, by clicking on the stars below.

Eric101 · ‎07-04-2018

Advanced security services can also run on the ISR with the right cards.
https://www.cisco.com/c/en/us/products/collateral/security/router-security/datasheet-c78-735410.html

But not an insecure solution at all, with significantly more flexibility in deployment, performance, and routing of traffic over ISR VPNs as compared to the ASA, FTD.

jtillman11 · ‎07-05-2018

Would the fact that the router in question is a 1941 with ipbasek9 license only (15.1.4) be concern?

Joseph W. Doherty · ‎07-05-2018

"Would the fact that the router in question is a 1941 with ipbasek9 license only (15.1.4) be concern?"

Somewhat, in regards to what you can filter coming in.

However, as to protecting the router, itself, you could block all traffic but your expected VPN traffic. (Your ISP engineer sort of touches on this.)

Basically, a router that's been configured to be "hardened" (Cisco and some other security sites note how), should be secure. That said, some kinds of attacks, like some DoS attacks, can fill the link to your device, and whether it's a router or a special security device, isn't going to make much of a difference.