Solved

IPSec

Posted on 2009-06-30
7
1,008 Views
Last Modified: 2012-05-07
What are the advantages and disadvantages of implementing IPSec using these methods:

1. Gateway to Gateway (using Firewall features)
2. Gateway to Gateway (using Router)
3a. Host to host (tunnel mode)
3b. Host to host (transport mode)

Is it true that IPSec theory host to host (tunnel mode) does not work in practice? What are common mistakes in implementing IPsec.
0
Comment
Question by:Arifnor
  • 4
  • 3
7 Comments
 
LVL 8

Assisted Solution

by:Nothing_Changed
Nothing_Changed earned 250 total points
Comment Utility
In my experience , you are going to get minimal support headaches whenever you ahve sites that can be joined by a Lan to Lan tunnel, since you only have to support your own network gear and not a group of users of varying skills, experience, and intelligence. Good firewall gear such as a Caiso ASA5500 platform has built in hardware optimization to enhance IPSEC performance and minimize latency. Some routers can be outfitted with add on cards to perform this function, but I find it best to compartmentalize functions. Troubleshooting is faster in the event of problems if you firewall is doing security and your routers are just routing.

If you have individual users trying to access remote lan(s) from varying locations, a client to vpn concentrator setup works best. And again, an ASA is a great VPN concentrator in addition to being a very strong firewall. Your authentication choices are very good as well, ranging from local database in the firewall to remote authentication through TACAS, RADIUS, or even active directory or LDAP.

I have not tried client to client VPN setups, and wouldn't think the complication of it is worht the effort to try it. If you need a secure client to client tunnel, use SSH.

The most common mistake I see is using gear/software that you don't understand and/or that has no support when you are new. Once you are experienced, you can make darned near anything link up, but for learning, I suggest following a trail instead of trying to blaze one yourself the first time.
0
 

Author Comment

by:Arifnor
Comment Utility
Hi Nothing Changed,

Thanks.

We try not to use Firewall. This is because this network is a private WAN (there is no Internet connection). The external threat can be seen as negligible - only have to worry with internal threat (by applying physical security to ensure there is no internal intrusion). The HQ LAN connect to serveral regional LAN, (geographically separated) via Router and through MPLS (IP VPN).

If we are using Firewall to implement IPSec, we have to install one firewall for each site which may be costly (if there 10 LAN (sites) we are going to install 10 of those firewall).

The objective is to increase the security by applying encryption and authentication for all traffic that run through the WAN.

Can you also explain on SSH?
0
 
LVL 8

Assisted Solution

by:Nothing_Changed
Nothing_Changed earned 250 total points
Comment Utility
Ah! If you want to encrypt your WAN links, that's not overly difficult, but the method varies widely based on router vendor. I'm very familiar with Cisco routers and firewalls, and somewhat familiar with Nortel and Wellfleet. Some routers can do it (most new ones), and some can't as well.

Encrypted WAN links will traffic in transit between sites, and again you only have to deal with your own network gear, not every single user individually, so that's WAY less support headaches.

For ultra sensitive communications, endpoint to endpoint encryption via SSH (Secure Shell, here is a great site--> http://www.openssh.com) or SSL on web traffic is the way to go. But in general, most networks do not need every communication between every host encrypted in addition to the wan pipes themselves, the increased complication and support overhead isn't worth the trouble in most cases. If you don't trust your users, don't let them into your network.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:Arifnor
Comment Utility
Hi Nothing Change,

Before I closed the question, can you confirm my understanding:

1. Gateway to Gateway (using Firewall features) - Can be one best solution for IPSec. However for closed network it is not cost effective.
2. Gateway to Gateway (using Router) - This is the best and cost effective solution for implementing IPSec
3a. Host to host (tunnel mode) - It is complicated and difficult to manage
3b. Host to host (transport mode) - It is complicated and difficult to manage

Use SSH or SSL for endpoint to endpoint encryption.

BTW you have not answer this question:
Is it true that IPSec theory host to host (tunnel mode) does not work in practice?
0
 

Author Comment

by:Arifnor
Comment Utility
Hi Nothing Change,

I want to closed this question. Can you respond to my confirmation note.
0
 
LVL 8

Accepted Solution

by:
Nothing_Changed earned 250 total points
Comment Utility
Hi,

Your restatements:

1. Gateway to Gateway (using Firewall features) - Can be one best solution for IPSec. However for closed network it is (sometimes) not cost effective.
2. Gateway to Gateway (using Router) - This is the best and cost effective solution for implementing IPSec (as long as your routers support it)
3a. Host to host (tunnel mode) - It is complicated and difficult to manage
3b. Host to host (transport mode) - It is complicated and difficult to manage

are correct. And SSH for host to host encryption for most apps and ssl for web apps is the standard way to go, and works very well.

And as for
"BTW you have not answer this question:
Is it true that IPSec theory host to host (tunnel mode) does not work in practice?"

you COULD configure this, theoretically, but I've not seen it done anywhere. That doesn't mean it CAN'T be done, just that it would be unusual. IPSEC can create an encrypted "virtual" link between a pair of nodes, whether it is a computer to a computer, or a firewall to a router, etc. On some operating systems it would be more easily done than others, I'd estimate that Linux or unix would be the best candidates due to the granularity of control you have over how every network connection works. Windows would be more difficult and would likely require some custom programming or at the minimum some recompilation or customization of open source code you could find. My recommendation for SSH is based on the fact that there are working tested clients/servers available for every platform i know of, and many include something included with  the operating system builds. So if a "production-quality" working solution exists, I recommend that over an untested theoretical solution, unless there is something very advantageous about the new solution that makes it worth the support efforts and risk of failure that always accompanies untested things. This is a good Wiki --> http://en.wikipedia.org/wiki/OpenVPN <-- on the topic of OpenVPN between hosts or networks, but I would not recommend this for a business class production network environment unless there were constraints (such as capital budget) that makes using a commercially available VPN solution impossible. But be aware, while open source stuff is pretty cool and you get it for "free", the soft costs of starting up and configuring and supporting it should be taken into account. There is no one to call if it breaks or doesn't work, you just have to muscle through it & figure it out, which is REALLY painful if there are people standing over your shoulder waiting for their network to come back up so you can build/sell/ship whatever it is your business does.

How's that? :)

0
 

Author Comment

by:Arifnor
Comment Utility
Thanks a lot. I think I have enough explaination. I will closed the question.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

There is a question posted at http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28324159.html) and i…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now