On Dec 4, 2007, at 12:14 AM, visc wrote:
So, my question is this - what are the current best practices for setting up a hub and spoke topology using OpenBSD, allowing for traffic to securely flow from Branch to Branch on occasion without using a full mesh topology. If it's at all possible... (network description below)
At this point IMHO branch-to-branch is avoided not for security reasons but for administrative reasons.
It is a pain in the ass to configure each branch to establish a VPN to any other branch. It's easy to tell each branch router "if you want to talk to BRANCHX, talk to CENTRALOFFICE first".
If you have more than a handful of branches it is very annoying to tell each router "if you want to talk to BRACHA, talk to A; if you want to talk to BRANCHB, talk to B; etc."
The primary advantage of the star or branch-to-central topology was the difficulty of someone putting a man-in-the-middle of a leased line.
But now leased lines are expensive. VPNs and direct Internet connections are cheap so it makes much more sense to put in the pain- in-the-ass effort to connect everyone in your Intranet via VPNs/IPSEC and get rid of your leased lines.
If you only have enough budget to move a few this year you analyze which few cross-talk the most and configure them for mesh and leave the rest as star.
This is not true if you asked an auditor, however. It is much easier to put a network sensor down in a star topology and get most of the network traffic than it is for a mesh network. If you want to be able to buy one device and know for sure that everyone is going through it you probably need a star topology and a heavy hand on the branch routers.
-- Freedom, truth, love, beauty. John Rodenbiker
