[vpn] [Fwd: Re: [fw-wiz] Link encryptors vs. IPSec]

Stephen Hope shope at energis-eis.co.uk
Thu Aug 23 07:46:28 EDT 2001 

George,

this is a bit broad brush but should help...

i work for a company that has provided all 3 solutions that come to find for
your requirement - Cylink link encryptors, routers with encryption, and VPN
gateways.

but we dont operate in the US, so no sales bias....

1. link encryptors (we supply Cylink mainly to banks). V. secure, and allows
security admin to be separate from routers and network hardware. only works
over "single hops" - serial link or a frame PVC.

uses proprietary management - you need management for some configs (not
leased line). uses diffie hellman and auto key exchange.

designed for the seriously paranoid - e.g. open the case and the current
keys get wiped.

basically - very easy to use once set up. very secure - standard for some
banking applications. meets some military specs around the world.

for the app you describe, you would need 2 different pairs of link
encryptors, 1 for leased line, and 1 for ISDN - i have not used any dialup
kit in this config.

note - cylink make Ethernet to Ethernet encapsulation encyptors, which can
be used as "black box" VPN gateways as well.

2.	routers with encryption - comes in s/w and hardware varients, and
you need hardware to offload the CPU of the routers for "reasonable"
performance, esp. with 3DES.

for cisco, management is integrated into the IOS.

you can encrypt across both link types, or you could define a "tunnel"
between LAN interfaces and encrypt that, then use route and traffic filters
to force the flows over the encrypted link.

Because the routers sees both "raw" and encrypted link, you need to use
filtering to protect it if the link is accessible to others (and if it
wasnt, you wouldnt need encrytpion?).

this should give you the minimum cost, although encryption will mean a
hardware accelerator and maybe a bugger routers. use the recent cisco boxes
if that manufacturer suits - 17xx, 26xx, 36xx as they support the hardware
encryptors.

3.	vpn gateways - if you structure your design as is the WAN links are
internet like, then the topology is exactly what VPN gateways were designed
to secure - the ISDN and leased line with the routers that drive them sit on
the "insecure" side of the gateways. 

some firewalls can provide the vpn gateway - i have worked with both cisco
PIX and Nokia / checkpoint, and both work well.

Main issue which are problems here are managing the routers.

more generally - you need to test it thoroughly - a security scanner and
some traffic load software will be needed. I dont know of any way to verify
that an encryptor is working at the "strength" it claims, but if i have to
trust a manufacturer for this then i would be most comfortable with the
Cylink kit as their stuff gets verified by various commercial and military
users.

let me know what happens, and if i can help with more detail - good luck.

regards

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis Integration Services Ltd, WWW: http://www.energis-eis.co.uk
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: George Capehart [mailto:capegeo at opengroup.org]
> Sent: 21 August 2001 00:58
> To: vpn at securityfocus.com
> Subject: [vpn] [Fwd: Re: [fw-wiz] Link encryptors vs. IPSec]
> 
> 
> Thanks.  I'm looking forward to the replies.
> 
> -------- Original Message --------
> Subject: Re: [fw-wiz] Link encryptors vs. IPSec
> Date: Mon, 20 Aug 2001 09:42:19 -0500 (CDT)
> From: Tina Bird <tbird at precision-guesswork.com>
> To: George Capehart <capegeo at opengroup.org>
> 
> George -- Could you please send this to the VPN mailing
> list (vpn at securityfocus.com)?  This is >>exactly< the kind
> of question that group likes to work on...
> 
> Thanks very much -- Tina Bird
> VPN List Moderator
> 
> On Sat, 18 Aug 2001, George Capehart wrote:
> 
> > Date: Sat, 18 Aug 2001 00:27:55 -0400
> > From: George Capehart <capegeo at opengroup.org>
> > To: firewall-wizards at nfr.com
> > Subject: [fw-wiz] Link encryptors vs. IPSec
> > 
> > Hello Wizards,
> > 
> > I have a slightly off-topic question that mjr probably won't let
> > through, but since I can't think of a more appropriate 
> list, I'll ask it
> > here.  (Pointers to more appropriate lists/newsgroups would be
> > appreciated).  Since it is somewhat off-topic, I would be happy to
> > accept private replies.  If it is of interest, I will 
> publish a summary
> > of the responses I receive.  Here goes:
> > 
> > The requirement is to provide over-the-wire privacy between two
> > organizations.  There are two links between the organizations, a
> > dedicated leased line as the primary link, an ISDN dialup 
> line as the
> > backup link.  For various reasons out of my control, one of the
> > organizations wants all of the traffic that flows through its border
> > routers to be in the clear so that they can monitor it.  The other
> > organization does not want traffic between the organizations to be
> > subject to eavesdropping.  The two classes of options to solve the
> > problem seem to be:
> >  - Use link encryptors (like Cylink) between the routers and the
> > telecomm interfaces, or
> >  - Use IPSec on the public side of the routers.
> > 
> > I am agnostic with respect to the solution.  I have a 
> personal bias, but
> > it's based on the KISS principle and it seems to me that the link
> > encryptor option is a little simpler than is using IPSec.  
> At least that
> > has been my (admittedly limited) experience.  I do not want 
> to start a
> > flame war, but I would truly like to hear the opinions and 
> experiences
> > of others who have worked with one or both (preferably both) of the
> > options.  I need information that can help me weight the 
> decision one
> > way or the other.
> > 
> > I know that the details are very scarce.  This is because 
> the solution
> > to this problem will drive many other design assumptions 
> and decisions.
> > 
> > Thanks in advance.
> > 
> > Best regards,
> > 
> > George Capehart
> > --
> > George W. Capehart                               Phone:  +1 
> 704.953.1209
> >                                                    Fax:  +1 
> 704.853.2624
> > 
> > SMS Messaging:  
> http://www.mobile.att.net/mc/personal/pager_show.html
> >                 or
> >                 mailto:  7049531209 at mobile.att.net
> > 
> > "Does getiud() halt the spawning of child processes?"
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards at nfr.com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
> > 
> 
> VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
> life: http://kubarb.phsx.ukans.edu/~tbird
> work: http://www.counterpane.com
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list