Liwang,
You aren't comparing apples to apples in your questions. Let me
see if I can shed some light on the subject.
IPSec is a VPN technology that is responsible for securing a data
stream between two VPN peers. It does not provide multi-protocol
support, so if you need to transport anything other than IP, you will
need to use a GRE tunnel. (assuming you only connect to the outside
world using IP)
A GRE tunnel does not provide any security. It is a tunneling
protocol that can give you the illusion that two tunnel interfaces
are connected together. You can then set attributes within those two
tunnel interfaces as if you they are directly connected to each other
(not everything, but most everything). Thus, GRE tunnels do provide
multi-protocol support.
In order to determine which technology would be best suited for your
needs, your VPN business case should provide you with answers to the
following questions:
1) Are there just two sites that need to be connected together?
(i.e. are there plans for a large scale deployment?)
2) Do you need encryption?
3) Do you need authentication?
4) Do you need to protect against a replay attack?
5) Who are you protecting your data from?
Cisco Encryption Technology (CET), which is frequently used with GRE
tunnels, is a precursor to IPSec and has been available since IOS 11.2.
While there are similarities between IPSec and CET, they do not provide the
same functionality. This is why I asked the previous questions. CET
can only encrypt your data streams, while IPSec can encrypt, authenticate
and provide protection against a replay attack.
CET does not provide for a Public Key Infrastrucutre (PKI) and thus if you had
100's of sites to connect, CET could become an administrative nightmare.
On the other hand, IPSec does provide for a PKI which can ease administrative
burdens, but can give you a whole different set of problems. For example, who
administers the Certificate Authority server and where do they get their
authority.
This is important if it is an Extranet VPN. In an Intranet VPN this is not
nearly
as important since most Companies can inherently trust themselves (notice
I said MOST not ALL ;-).
CET is fairly simple to setup, especially since it only encrypts your
data streams. IPSec, has a tremendous amount of flexibility and as we all
know the more flexibility a technology has, the more complicated it gets.
IPSec can take a while to understand all of the underlying technology, but
it can give you an extremely secure environment.
Personally, assuming that:
1) We want a simple Intranet VPN protecting our data crossing the public
Internet
2) We aren't protecting trade secrets worth millions of dollars
3) There are no plans on increasing the number of VPN connections
I would go with a GRE tunnel with CET. If any of the above criteria aren't
met
I would go with IPSec.
HTH,
AQ
At 08:46 AM 11/23/00, Liwanag, Manolito wrote:
>I have a remote site that I want to connect to our central site that has a
>PIX. I was thinking of using IPSec with context based access control. But
>I was wondering if GRE is just as good ? ( to Qualify - reliable, easy to
>set up, secure and can handle plenty of tunnels) Can anyone advise ?
>
>Manolito
>
>
>_________________________________
>FAQ, list archives, and subscription info:
>http://www.groupstudy.com/list/cisco.html
>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**************************************************
Adam Quiggle
Senior Network Engineer
MCI Worldcom/BP Amoco
[EMAIL PROTECTED]
**************************************************
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
