Excellent reading !


Adam Quiggle <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Liwang,
>
> You aren't comparing apples to apples in your questions.  Let me
> see if I can shed some light on the subject.
>
> IPSec is a VPN technology that is responsible for securing a data
> stream between two VPN peers.  It does not provide multi-protocol
> support, so if you need to transport anything other than IP, you will
> need to use a GRE tunnel.  (assuming you only connect to the outside
> world using IP)
>
> A GRE tunnel does not provide any security.  It is a tunneling
> protocol that can give you the illusion that two tunnel interfaces
> are connected together.  You can then set attributes within those two
> tunnel interfaces as if you they are directly connected to each other
> (not everything, but most everything).  Thus, GRE tunnels do provide
> multi-protocol support.
>
> In order to determine which technology would be best suited for your
> needs, your VPN business case should provide you with answers to the
> following questions:
>
> 1) Are there just two sites that need to be connected together?
>       (i.e. are there plans for a large scale deployment?)
> 2) Do you need encryption?
> 3) Do you need authentication?
> 4) Do you need to protect against a replay attack?
> 5) Who are you protecting your data from?
>
> Cisco Encryption Technology (CET), which is frequently used with GRE
> tunnels, is a precursor to IPSec and has been available since IOS 11.2.
> While there are similarities between IPSec and CET, they do not provide
the
> same functionality.  This is why I asked the previous questions.  CET
> can only encrypt your data streams, while IPSec can encrypt, authenticate
> and provide protection against a replay attack.
>
> CET does not provide for a Public Key Infrastrucutre (PKI) and thus if you
had
> 100's of sites to connect, CET could become an administrative nightmare.
> On the other hand, IPSec does provide for a PKI which can ease
administrative
> burdens, but can give you a whole different set of problems.  For example,
who
> administers the Certificate Authority server and where do they get their
> authority.
> This is important if it is an Extranet VPN.  In an Intranet VPN this is
not
> nearly
> as important since most Companies can inherently trust themselves (notice
> I said MOST not ALL ;-).
>
> CET is fairly simple to setup, especially since it only encrypts your
> data streams.  IPSec, has a tremendous amount of flexibility and as we all
> know the more flexibility a technology has, the more complicated it gets.
> IPSec can take a while to understand all of the underlying technology, but
> it can give you an extremely secure environment.
>
> Personally, assuming that:
>
> 1) We want a simple Intranet VPN protecting our data crossing the public
> Internet
> 2) We aren't protecting trade secrets worth millions of dollars
> 3) There are no plans on increasing the number of VPN connections
>
> I would go with a GRE tunnel with CET.  If any of the above criteria
aren't
> met
> I would go with IPSec.
>
> HTH,
> AQ
>
>
> At 08:46 AM 11/23/00, Liwanag, Manolito wrote:
> >I have a remote site that I want to connect to our central site that has
a
> >PIX.  I was thinking of using IPSec with context based access control.
But
> >I was wondering if GRE is just as good ? ( to Qualify - reliable, easy to
> >set up, secure and can handle plenty of tunnels) Can anyone advise ?
> >
> >Manolito
> >
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
> >http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
> **************************************************
>   Adam Quiggle
>   Senior Network Engineer
>   MCI Worldcom/BP Amoco
>   [EMAIL PROTECTED]
> **************************************************
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>


_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to