[vpn] Planing a VPN - Are we doing the best thing ?

sam scure at redbulltech.com
Tue Jan 22 13:52:27 EST 2002 

May I suggest using Nokia's CryptoCluster for gateway to gateway,  client to
gateway, and gateway to non managed 3rd party gateway (PIX). The
CryptoCluster is extremely strong and supports virtually unlimited clients.
The only client it doesn't support is Win 95.. DARN :(. CryptoCluster's
management auto generates the policy elevating huge headaches when setting
up policies.  It also has built in RSA certificate authority so you can cut
unlimited CAs. This solution is extremely scalable and affordable. Hope this
helps. Feel free to contact me directly if you need more information
(scure at redbulltech.com).


-----Original Message-----
From: Dana J. Dawson [mailto:djdawso at qwest.com]
Sent: Monday, January 21, 2002 12:33 PM
To: Phillips, Kevin
Cc: 'vpn at securityfocus.com'
Subject: Re: [vpn] Planing a VPN - Are we doing the best thing ?


You can do the site-to-site stuff with the PIX, but the 506 is limited to 25
total VPN peers, including VPN clients (this was changed in the PIX 6.1
software
- the old limit was 4 peers, but that conflicted with the new PIX 501).
Whether
this is enough to support your pool of users is tough to say.  I usually
scale
VPN hardware by the bandwidth of encrypted traffic required, at least as a
first
rough estimate.  The PIX 506 CPU is fast enough to do about 6 Mbits of 3DES
(the
Cisco numbers vary on this), so even if you have a T1 you'll probably be ok,
especially if your encrypted traffic is only part of the traffic through the
PIX.  You're more likely to run into feature limits with the VPN client
support,
since the PIX doesn't support all the features that a dedicated VPN
concentrator
does.  The biggest missing feature is IPSec through NAT, which is a pretty
common requirement with all the DSL and cable modems out there.  With a pool
of
around 30 users you're kind of on the border line of where a concentrator is
worth the cost.  A Cisco 3000 series concentrator starts at around $4000,
and
there are cheaper ones from other vendors, so shop around.

HTH

Dana

--
Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Global Services              (612) 664-3364
Qwest Communications               (612) 664-4779 (FAX)
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."


"Phillips, Kevin" wrote:
>
> I have an office of 35 people and need to connect to 2 other offices of
> similar size. We will also have about 30 people total that will need
access
> from home and on the road.
> The parent company IT group tell us we need to use the PIX 506 plus a 2000
> server running ISA for the firewall/VPN. I get the impression that the 506
> is not big enough and that a 515 is more suitable.
> I have looked around on vpnlabs.org and found a lot of info but still need
a
> dummies guide to VPN.
> Thanks all,
>
> Kevin Phillips
> IT Systems technician
> Barco Graphics
> 40 Westover Road
> Ludlow, MA 01056
> kevin.phillips at barco.com
>
> VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.314 / Virus Database: 175 - Release Date: 1/11/2002




VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list