Site-to-Site VPN Advice

cambian · ‎02-18-2002

I need to design a solution that will allow several hundred sites on the Internet communicate securely with a central server. The central server will initiate transactions with the remotes sites, so 2-way communication is key. There will be only 1 remote server at each location. Traffic will be small bits of information (not movies or anything) dozens of times per day. Any suggested equipment for the remote sites? 806 Gateway Router? VPN 3002 Hardware Client won't work, will it? Thanks!

cjacinto · ‎02-19-2002

You could try to do a ted

http://www.cisco.com/warp/public/707/tedpreshare.html

Or configure IPSec to several remote routers (806 or better) using certificates (for better key management though).

I would not recommend more than 100 peers on one router. See related docs on:

http://www.cisco.com/warp/customer/779/largeent/design/intranet_vpn.html

dpmichaud · ‎07-25-2002

I would go with 50? or 170? to build in a little statefull firewall protection.

gmiiller · ‎07-27-2002

Having done some large-scale VPN's, here are some things to keep in mind.

Tunnel Endpoint Discovery is a useful feature, but it has it's limitations from a security perspective - By changing the crypto ACL on any participating device, (say one of your spoke routers) the router will misrepresent the hosts that it protects, causing the hub router to forward traffic for potentially ALL remote devices to the one spoke device through its established SA. What that means is that of you plan to use Tunnel Endpoint discovery, make very sure that the spoke devices are physically secure and under common administrative control.

Next, with TED most people plan to use certificates for scalability. But if all of the certificates are issued bog/stock standard, every spoke in your network has cryptographic credentials that are valid to every other spoke, not just the hub, combine that with TED and you've got some easy ins to attack someone's network.

Also remember with TED in tunnel mode, you'll need valid, routable addresses for the servers at each site.

Finally, from a security perspective, one of the advantages of using RSA nonces or certificates on larger routers is that the RSA keys don't survive a password recovery, so if someone does try to compromise a remote device they get no crypto keys. This generally applies for 2600 routers and larger, but not for the smaller devices.

None of this is to say that you can't implement your solution using TED, 805's and a single pre-shared key. It's a case of balancing security against manageability and cost.

gmiiller · ‎07-27-2002

Having done some large-scale VPN's, here are some things to keep in mind.

Tunnel Endpoint Discovery is a useful feature, but it has it's limitations from a security perspective - By changing the crypto ACL on any participating device, (say one of your spoke routers) the router will misrepresent the hosts that it protects, causing the hub router to forward traffic for potentially ALL remote devices to the one spoke device through its established SA. What that means is that of you plan to use Tunnel Endpoint discovery, make very sure that the spoke devices are physically secure and under common administrative control.

Next, with TED most people plan to use certificates for scalability. But if all of the certificates are issued bog/stock standard, every spoke in your network has cryptographic credentials that are valid to every other spoke, not just the hub, combine that with TED and you've got some easy ins to attack someone's network.

Also remember with TED in tunnel mode, you'll need valid, routable addresses for the servers at each site.

Finally, from a security perspective, one of the advantages of using RSA nonces or certificates on larger routers is that the RSA keys don't survive a password recovery, so if someone does try to compromise a remote device they get no crypto keys. This generally applies for 2600 routers and larger, but not for the smaller devices.

None of this is to say that you can't implement your solution using TED, 805's and a single pre-shared key. It's a case of balancing security against manageability and cost.