Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN and PGP

My client is planning to connect two private networks over the Internet using VPN (hardware-based devices). They also want to use PGP software to provide additional data encryption during data transfer between the two systems. I don't believe it's necessary, from either a cost or performance perspective, but they're insistent implementing PGP as well as the VPN. What can I tell them to make them see that this an unnecessary use of their resources?

3 REPLIES
Bronze

Re: VPN and PGP

PGP is going to give them some level of encryption (although PGP is not that good) from their PC to the router. Then their PGP packet will get hardware encrypted, which, if setup properly and is using 3DES is as secure as it gets. On the other side, the router that decrypts the packet with put the PGP packet back on that network to be decrypted by the end client. So it must be those two local LAN’s that they are concerned about. Of course, they could implement the Cisco VPN client from their desktop to the end router but then just the packet would be clear text on the remote LAN. Can anyone think of any other scenario where PGP might be still useful over a site-to-site VPN solution?

New Member

Re: VPN and PGP

While VPN tunneling is EXTREMELY insecure, VPN Encryption is very secure, especially if it uses blowfish. I believe you are correct when saying the only time PGP encryption would be needed is if they are worried about interception on the destined private LAN. Never can one be too secure.

felrodian@fatelabs.com

New Member

Re: VPN and PGP

Hi -

PGP at the "application" layer and network layer encryption (such as IPSec) are both

very good technologies. At Cisco, we actually use both depending on what the

situation calls for.

PGP is good for:

- E-mail encryption

- File encryption

- Highly sensitive applications where the traffic going in cleartext across your otherwise

trusted internal network is not acceptable (e.g. Mergers and Acquisitions info that

only a select few should be able to see)

- Persistent encryption (IPSec only protects data as it transits the network. The data is stored

in the clear on either end of the encrypted tunnel. PGP encrypted files can reside on your

hard drive. This is useful if your CEO's laptop gets stolen, for example)

PGP downsides:

- Not transparent to the user (compare it to router-router IPsec for example)

- Traffic analysis issues

Questions I'd ask your client:

1. Is it important that the data be encrypted not just across the Internet, but across

the Intranet at either end?

2. Is it important that the data reside on an end system in an encrypted fashion?

If either question is yes, then I'd say something like PGP was warranted.

Both IPSec and PGP provide strong levels of encryption, and I sleep at night knowing I'm

using both in their respective strong suites.

1847
Views
0
Helpful
3
Replies
CreatePlease login to create content