Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
1
Replies

Suggestions over VPN hardware and type for remote administration and monitoring to a few devices

Chris Swinney
Level 1
Level 1

‎01-07-2013 11:48 AM

Hi All,

We are looking at some hardware devices to be used in small AV/Videoconferencing rack installations.

The rack will be on customer premises and it has often been the case in the past that the customer would allow us remote access to each device through their firewall using individual 1:2:1 NATed IP address. However, some of the equipment we are now using (Extron) unfortunately does not implement encrypted IP communication (such as SSH or HTTPS) and as such we cannot pass such unencrypted traffic across the institutions network border. In addition, assigning multiple IP addresses can be costly for an institutions IP address range (whilst we could port forward the remote admin protocols of many devices to a single IP address, unfortunately, some of our management servers don't allow this (aka Cisco TMS - a bugbear for another thread!), and it is also true that institutions may have multiple racks across multiple campuses, however, at this moment in time we are looking for a solution on for an individual rack rather than to being able to manage an entire campus through a single VPN device (although we will certainly look at this possibility in the future).

Each rack may only contain a handful of devices (say around 5), and each of the devices will need to be contactable using either some remote administration protocol such as Telnet, SSH, HTTP, HTTPS or VNC. So far, I have been looking mainly at the Cisco ASA 5505, but have also been toying with the 881 router with Advanced IP licence, or even the ISA550 (which although meant for small business might suit out needs).

The traffic the device needs to deal with should not be that great - a single HD videoconference stream is around 2Mbps. The reset of the external traffic would only be remote administration and monitoring. The IP traffic of the actual rack equipment (apart from the VC endpoint) is pretty much internal to the rack.

It is possible that the VPN does not need to be kept open, and can be brought up as and when required for remote administration. Of course, IF we want to be able to monitor the devices, then a more permanent VPN needs to be established. I feel that in the first instance, and SSL VPN would work, although in the second instance we would be looking at an IPSEC tunnel (I have read briefly about Group Encrypted Transport VPN, but have no idea really what this is or if it would be of use here).

The VPN hardware device needs to be able to operate in a transparent mode where the devices obtain IP address from the institutions network and also be seen and monitor by local network server if required.

Am on on the right line with the devices selected? Has anyone got any further comments regard the suitability of the VPN types.

Cheers

Chris

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎01-07-2013 01:15 PM

Hi,

I got to admit that my opinion/suggestion is pretty biased because of the fact that I have only done VPN implementations with certain devices and certain VPN types.

The most common types of VPNs I've configured for this purpose have been

  • EasyVPN/Hardware VPN Client 
    • Router VPN setups have usually included running BGP routing between the branch site and the central site
    • Firewall VPN setups have usually just been normal Hardware VPN Client setups that are directly connected to the central firewalls. No routing procotols between the sites.
  • L2L VPN 
    • Used in the cases where Static Public IP is available for the branch site

The devices which I have commonly used to create VPN connections between sites have been

  • PIX501
    • At the very beginning of my career when PIX firewalls were still pretty common for us and our customers
  • ASA5505 
    • One of the most common device used to connect small branch offices to the central site
  • Cisco 1841 + HWIC3G 
    • In the start I used this setup to sometimes implement a remote connection to a temporary site or to a site with no other means of connection
  • Cisco 881G 
    • This is the latest device model that I have used for the same setups as the Cisco 1841 + HWIC3G

And on the actual VPN setus that I have done

  • PIX501 
    • Hardware VPN Client
    • L2L VPN
  • ASA5505 
    • Hardware VPN Client
    • L2L VPN
  • Cisco 1841 + HWIC3G 
    • 3G + EasyVPN + GRE + BGP
  • Cisco 881G 
    • 3G + EasyVPN + GRE + BGP

I have to say that I have been most comfortable with the ASA5505 setup (both Hardware VPN Client and L2L VPN). This is because I'm more familiar with the PIX/ASA/FWSM side than the Cisco Routers with which I have to rarely configure anything that special. I also find that its the ASA5505 gives me alot tools for troubleshooting purposes while ofcourse it lacks some that the routers have.

If I'm not totally mistaken the ASA5505 might be cheaper than the the C881 routers also.

Pros and Cons of the 2 types of VPN I have used

  • In my opinion
  • I'm also sure I will forget to list something essential

  • L2L VPN 
    • Pros 
      • After setup you dont really have to touch them at all
      • Doesnt require the user to do anythng to enable the remote VPN connection
    • Cons 
      • Initial setup has proven to be pretty hard sometimes unless you can handle both sites devices configuration yourself. (Cant tell how many times there are parameter missmatches and PSK written wrong for some odd reason)
      • Can cause a bit of extra work if there are changes on the remote sites (not to mention if something changes on your site)

  • Hardware VPN  Client / Easy VPN 
    • Pros 
      • Pretty easy initial setup
      • Hardware VPN Client / Easy VPN clients dont require a static public IP address
      • Hardware VPN Clients (ASA) / Easy VPN (Routers) stay connected to the central site
      • They dont require configuration changes if the IP addressing changes on the remote site
    • Cons 
      • Since they connect from anywhere as long as they get an IP address for their outside interface it might have some negative consequences regarding security of your central site.
      • Harder to troubleshoot and manage than a device with its own static public IP address 

    Hopefully some of the above information has been helpfull. Please rate if so

    And naturally ask more and I'll see if I can answer your questions.

    - Jouni

    0 Helpful
    Customers Also Viewed These Support Documents