Re: Possible VPN solution

r.redd · ‎05-19-2004

I am currently in the process of creating at least 2 to 3 LANs all at separate locations. Each LAN has aprox. 20 users. The users will be a mix of both wired and wireless clients. I was thinking about using IPSec VPN for the wireless authentication on each LAN. Each site will have broadband internet access which I was thinking would use VPN to connect site to site.

My main question is this best practice? If so what Cisco equipment should I be looking at as far as VPN and authentication? If not can you point me in a better direction? Last thing what other security measures should I be looking at as possible risks?

By the way, money is not an issue, I want the best solution.

Thanks,

ehirsel · ‎05-20-2004

Yes, using vpn's to protect the inter-site traffic over a public network is best practice.

I would recommend a pix firewall at each location as it provides for firewall stateful filtering as well as acting as a vpn termination device.

You could use a vpn concentrator instead of, or in addition to the pix to handle the vpn traffic, but I still recommend a firewall that would protect the LAN as well as the concentrator if you choose to go that route.

If you use just the pix, make sure you get a AES/3DES capable encryption offloading card, and purchase the failover bundle to allow for redundancy in case of a single pix failure.

As far as authentication and other security measures go:

I would use cisco secure ACS and RSA SecureID to provide for two factor user authen. The ACS can use an external database to handle usernames/passwords, such as LDAP, MS Domain (and active directory too), and Novell NDS.

I would use cisco cat 2950 or higher model switches to handle mac-based authen which ought to handle the wireless clients as a means of extra protection - the wired clients can use it too, if you are running MS WIN XP. Ohter OS's may be able to use it too - this feature would make sure that only the corp. network devices attach to the LAN and would help prevent internal attacks that the firewall may not see. This may not be applicable yet for you, but I mention it as something to think about for the future.

I have not had any expierience with wireless, so I cannot add any more to that.

I hope this helps.

This link points to cisco's safe blueprint that can provide for more info:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networking_solutions_package.html

r.redd · ‎05-20-2004

Great info. What model number of Pix will be sufficient?

ehirsel · ‎05-20-2004

I would go with the pix 515E model, as the number of users at each location is not that large. The E model can provide for gigabit enet interfaces in case you have the need. If not at least you will more thatn have processing room to insure that the pix will not be the bottleneck in throughput.

In addition to the hardware encryption card, you may want to consider purchasing the 4-port fast enet card license upgrade on the pix units at one location. This way you can have a total of 6 phy links - you can use the spares in case of a port issue on the pix or for lan/dmz growth. That depends upon how your network topology is setup and if you can forsee a time when one site will host common services, or you want traffic between sites B and C to flow thru site A - this is referred to as a hub-and-spoke topology.