VPN query

Unanswered Question
Feb 7th, 2010
User Badges:

Hi,

We have near about 40 branches & looking for the VPN connectivity over Internet to HO and DR site to access the servers. Being the financial institute security is concerned.


So deliverable solution can be below :
1) Configuring IPSec between Cisco Router and Cisco vpn client for windows
2) Configuring IPSec between PIX and Cisco vpn client for windows
3) Configuring IPSec between Cisco VPN cncentrator and Cisco vpn client for windows

Which would be the best solution as per the security concerned, Please comment.


Regards,

Nilesh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 02/07/2010 - 11:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

nilesh_sawant wrote:


Hi,

We have near about 40 branches & looking for the VPN connectivity over Internet to HO and DR site to access the servers. Being the financial institute security is concerned.


So deliverable solution can be below :
1) Configuring IPSec between Cisco Router and Cisco vpn client for windows
2) Configuring IPSec between PIX and Cisco vpn client for windows
3) Configuring IPSec between Cisco VPN cncentrator and Cisco vpn client for windows

Which would be the best solution as per the security concerned, Please comment.


Regards,

Nilesh


Nilesh


Firstly i would rule out the VPN concentrator simply because it EOL and anything that is EOL is not as actively supported. So any major issues in the code and Cisco may well tell you to migrate to an ASA firewall.


So it comes down to a firewall vs a router.


With a router you can do a lot more than a firewall as it has all the IOS functionality. So you need to draw up your full list of requirements eg. a router has a fuller QOS feature set, a router can do PBR whereas an ASA cannot, a router can support equal cost load-balancing across multiple interfaces whereas ASAs have problems with all this. A quick search on this site will show you for example how many people would like PBR to be on an ASA.


But because a router can do a lot more there are also potentially a lot more bugs that could affect the device. The ASA is a dedicated firewall/IPS device and so is less of a jack-of-all trades.


Availability and throughput are also considerations as well as resiliency. You need to compare relevant data sheets of the routers/ASAs you are interested in.


Finally there is also the issue of management. If you have no expertise in house with ASAs then that is a plus point for a router.


So it's a compromise and that's why you need a full set of requirements.


Jon

Actions

This Discussion