Security and Encryption across WAN Links


I have Nexus 7000 which connected to Infinet WL to 4 sites as point to point now i need to secure and encrypt the data across the WAN link is it better to use OSPF authentication and this enough ?
Ayman RoyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
OSPF authentication won't encrypt anything - it will only check that devices trying to exchange OSPF information are allowed to do so.

You need to use IPSec, for example.
Jian An LimSolutions ArchitectCommented:
and depends whether you are your Infinet WL is an Internet or a private network.
If infinet WL is private network, then encryption only add an additional security.

if infinet WL is internet network, then of course, IPSEC, MPPE,  STTP would be the recommended solution.

Nexus 7000 is a switch and it don't have VPN capability. you need additional facility to encrypt such traffic
btanExec ConsultantCommented:
Good to check Cisco SAFE in specific to protect WAN in practices, ospf or egirp auth does not encrypt as all mentioned and confidentiality is via VPN minimally, pse see
A sample implementation of secure routing in the Internet WAN edge module is shown below and it integrates the SAFE guidelines to:
•Authenticate all routing peers.
•Only distribute the hub IP address out of the external routing domain. This is a loopback interface that is common across the hub devices.
•Disable routing on all interfaces by default.
•Explicitly enable the internal routing domain on interfaces to the WAN edge distribution switches and the VPN tunnels.
•Explicitly enable the external routing domain on interfaces to the private WAN.
•Only permit distribution into the internal routing domain of the branch subnets advertised from the tunnel interfaces.
•Enable neighbor logging on all routing domains.

The recommendation for secure WAN connectivity in the WAN edge includes the following:

•VPN for traffic isolation over the WAN
There are a number of VPN options and the choice will vary based on specific customer requirements. DMVPN, for instance, offers support for VPN over both a private WAN and the Internet, as well as multicast and dynamic routing. Consequently, DMVPN can be integrated to enable a common VPN implementation if both these WAN types are deployed at remote sites.

•Public Key Infrastructure (PKI) for strong tunnel authentication
PKI provides secure, scalable, and manageable authentication that is critical to large-scale VPN deployments. PKI also features the dynamic renewal and revocation of certificates that enables the dynamic commissioning and decommissioning of branches with ease.

•Advanced Encryption Standard (AES) for strong encryption
Data over the Internet is vulnerable to sniffing; therefore, encryption is critical to data confidentially and integrity. Data over a private WAN can also be encrypted for maximum security or for compliance reasons.

Pointers in general as hardening as well
- Available for BGP, IS-IS, OSPF, RIPv2 and EIGRP. Use MD5 authentication (not really as good but that is what they offers) rather than insecure plain text authentication. To function properly, neighbor authentication must be enabled on both ends of the routing session.

- Use the passive-interface default command when enabling routing on network ranges matching a large number of interfaces. This allows to selectively enable the propagation of routing updates over the interfaces that are expected to be part of the routing process. In RIP and IGRP, the passive-interface command stops the router from sending updates on the selected interface, but the router continues listening and processing updates received from neighbors on that interface. In EIGRP and OSPF, the passive-interface command prevents neighbor sessions to be established on the selected interface. This stops not only routing updates from being advertised, but it also suppresses incoming routing updates.

- Logging the status changes of neighbor sessions is a good practice that helps identify such problems and that facilitates troubleshooting. In most routing protocols, status change message logging is enabled by default. By default, EIGRP and OSPF log status changes.
Ayman RoyAuthor Commented:
do you have any IPSec example from cisco match with my case ?
btanExec ConsultantCommented:
it may not be direct mapping (like not 4 sites, just 2 sites and not using WL per se) but can be relevant. It stated static routes and working alright and have some consideration in enabling OSPF on the availability monitoring aspects. Pse see

I do see availability key as well to security monitoring in event of denial or loss of activity for multiples site, otherwise, the security aspects are already discussed prev. vpn tunnel is preferred rather than ospf auth..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.