VPN "Best Practices"
Posted on 2004-09-08
As an IT person, I'm often asked about setting up VPNs with existing hardware. While I'm aware of certain security risks, I'd really like to discuss with someone the pros and cons of the following setups:
assume just 2 offices. Each behind a NATed firewall with no DMZ
1. Firewalls(same model at each office) also perform VPN.
2. Internal VPN devices (Cisco VPN router, etc...)
3. ISA to ISA.
4. W2kSever to W2kServer
Basically, my main client has offices in LA and NY and is looking to connect them. They both simply have a 30-50 computers, a couple of DCs and a NATed firewall (Watchguard FireBox X700). We would like to connect the offices and consolidate the domain, and I would prefer to do it 100% the right way. I often spout out "best practices", but always like to be reminded of why they are so. Especially since the computer world changes so rapidly, and it's always good to re-verify your feelings before committing to a big project.
Don't need answers specific to my situation. Not looking for you guys to do my job or anything, just thought I might spark a general conversation about various VPN methodologies that could benefit other people too.
Thanks for all your input.