On 12/4/07, John Rodenbiker <[EMAIL PROTECTED]> wrote: > > On Dec 4, 2007, at 12:14 AM, visc wrote: > > So, my question is this - what are the current best practices for > > setting up a hub and spoke topology using OpenBSD, allowing for > > traffic to securely flow from Branch to Branch on occasion without > > using a full mesh topology. If it's at all possible... (network > > description below) > > At this point IMHO branch-to-branch is avoided not for security > reasons but for administrative reasons. > > It is a pain in the ass to configure each branch to establish a VPN to > any other branch. It's easy to tell each branch router "if you want to > talk to BRANCHX, talk to CENTRALOFFICE first".
GRE/IPIP inside IPsec and dynamic routing. /Tony If you have more than a handful of branches it is very annoying to > tell each router "if you want to talk to BRACHA, talk to A; if you > want to talk to BRANCHB, talk to B; etc." > > The primary advantage of the star or branch-to-central topology was > the difficulty of someone putting a man-in-the-middle of a leased line. > > But now leased lines are expensive. VPNs and direct Internet > connections are cheap so it makes much more sense to put in the pain- > in-the-ass effort to connect everyone in your Intranet via VPNs/IPSEC > and get rid of your leased lines. > > If you only have enough budget to move a few this year you analyze > which few cross-talk the most and configure them for mesh and leave > the rest as star. > > This is not true if you asked an auditor, however. It is much easier > to put a network sensor down in a star topology and get most of the > network traffic than it is for a mesh network. If you want to be able > to buy one device and know for sure that everyone is going through it > you probably need a star topology and a heavy hand on the branch > routers. > -- > Freedom, truth, love, beauty. > John Rodenbiker