RE: GRE VS. IPSEc
See Below... -Original Message- From: Adam Quiggle [mailto:[EMAIL PROTECTED]] Sent: Friday, November 24, 2000 4:20 PM To: Liwanag, Manolito; [EMAIL PROTECTED] Subject: RE: GRE VS. IPSEc Manolito, At 01:44 PM 11/23/00, you wrote: Thanks for the detailed replied. BTW my first name is Manolito. No big deal. Take a look at my comments below when you have a minute -Original Message- From: Adam Quiggle [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 23, 2000 1:13 PM To: Liwanag, Manolito; 'Cisco Group Study' Subject: Re: GRE VS. IPSEc 1) Are there just two sites that need to be connected together? (i.e. are there plans for a large scale deployment?) Right now yes.. This remote branch that I want to connect to corporate is using ISDN to get to corporate and the Net. Recent expansion have raised the number of ee to 40 and the bandwidth is now super saturated. I was planning on getting an ADSL connection to replace the ISDN. Basically I want that remote branch to access the internet locally - not to go through our PIX at the corporate site - but other network traffic to go through an IPSec tunnel to corporate. What do you mean you have the number of ee to 40? What is ee? Answer : Employees It is easy to encrypt traffic destined for the corporate site and let the other "Internet" traffic go directly to it, not through the corporate site. Just make sure the access list used in your crypto map only identifies traffic to the corporate office as traffic to be encrypted. If you are talking about PC's that need this functionality it is a little bit more difficult. Your VPN client would have to support "split mode". I believe the Cisco 3000 VPN router (formerly Altiga) can support this type of behavior, although I don't have the details as to how it works. 2) Do you need encryption? Yes 3) Do you need authentication? I think yes as well 4) Do you need to protect against a replay attack? Yes 5) Who are you protecting your data from? everyone that is not an employee With regard to protecting your data, will you be transmitting trade secrets? What would be the potential of having someone intercept your messages? Don't use a shotgun to kill a mosquito. How about using IPSEc with GRE in it ? Any suggestions are very helpfull for me as I am new in this field. I have set up an IPsec tunnel to our other PIX in Australia and I figured that I could do the same for a 1605-R router to the corporate PIX. There is nothing wrong with using IPSec to encrypt a GRE tunnel, it is perfectly acceptable. The question is, do you want to spend the time learning IPSec (this is a good thing) or do you just want to get it done? Realize that the skills required to implement CET are not quite 1/2 the skills/knowledge you need to implement IPSec (in your particular instance). Also realize that you can get bogged down in the details once you realize the features that can be deployed with IPSec. AQ p.s. Sorry about the name. I did get it right this time. :-) No worries Mate :D Thank you very much for the feedback. I am using this small project to learn a bit more about IPsec and GRE. ** Adam Quiggle Senior Network Engineer MCI Worldcom/BP Amoco [EMAIL PROTECTED] ** _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: GRE VS. IPSEc
Manolito, At 01:44 PM 11/23/00, you wrote: Thanks for the detailed replied. BTW my first name is Manolito. No big deal. Take a look at my comments below when you have a minute -Original Message- From: Adam Quiggle [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 23, 2000 1:13 PM To: Liwanag, Manolito; 'Cisco Group Study' Subject: Re: GRE VS. IPSEc 1) Are there just two sites that need to be connected together? (i.e. are there plans for a large scale deployment?) Right now yes.. This remote branch that I want to connect to corporate is using ISDN to get to corporate and the Net. Recent expansion have raised the number of ee to 40 and the bandwidth is now super saturated. I was planning on getting an ADSL connection to replace the ISDN. Basically I want that remote branch to access the internet locally - not to go through our PIX at the corporate site - but other network traffic to go through an IPSec tunnel to corporate. What do you mean you have the number of ee to 40? What is ee? It is easy to encrypt traffic destined for the corporate site and let the other "Internet" traffic go directly to it, not through the corporate site. Just make sure the access list used in your crypto map only identifies traffic to the corporate office as traffic to be encrypted. If you are talking about PC's that need this functionality it is a little bit more difficult. Your VPN client would have to support "split mode". I believe the Cisco 3000 VPN router (formerly Altiga) can support this type of behavior, although I don't have the details as to how it works. 2) Do you need encryption? Yes 3) Do you need authentication? I think yes as well 4) Do you need to protect against a replay attack? Yes 5) Who are you protecting your data from? everyone that is not an employee With regard to protecting your data, will you be transmitting trade secrets? What would be the potential of having someone intercept your messages? Don't use a shotgun to kill a mosquito. How about using IPSEc with GRE in it ? Any suggestions are very helpfull for me as I am new in this field. I have set up an IPsec tunnel to our other PIX in Australia and I figured that I could do the same for a 1605-R router to the corporate PIX. There is nothing wrong with using IPSec to encrypt a GRE tunnel, it is perfectly acceptable. The question is, do you want to spend the time learning IPSec (this is a good thing) or do you just want to get it done? Realize that the skills required to implement CET are not quite 1/2 the skills/knowledge you need to implement IPSec (in your particular instance). Also realize that you can get bogged down in the details once you realize the features that can be deployed with IPSec. AQ p.s. Sorry about the name. I did get it right this time. :-) ** Adam Quiggle Senior Network Engineer MCI Worldcom/BP Amoco [EMAIL PROTECTED] ** _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE VS. IPSEc
Liwang, You aren't comparing apples to apples in your questions. Let me see if I can shed some light on the subject. IPSec is a VPN technology that is responsible for securing a data stream between two VPN peers. It does not provide multi-protocol support, so if you need to transport anything other than IP, you will need to use a GRE tunnel. (assuming you only connect to the outside world using IP) A GRE tunnel does not provide any security. It is a tunneling protocol that can give you the illusion that two tunnel interfaces are connected together. You can then set attributes within those two tunnel interfaces as if you they are directly connected to each other (not everything, but most everything). Thus, GRE tunnels do provide multi-protocol support. In order to determine which technology would be best suited for your needs, your VPN business case should provide you with answers to the following questions: 1) Are there just two sites that need to be connected together? (i.e. are there plans for a large scale deployment?) 2) Do you need encryption? 3) Do you need authentication? 4) Do you need to protect against a replay attack? 5) Who are you protecting your data from? Cisco Encryption Technology (CET), which is frequently used with GRE tunnels, is a precursor to IPSec and has been available since IOS 11.2. While there are similarities between IPSec and CET, they do not provide the same functionality. This is why I asked the previous questions. CET can only encrypt your data streams, while IPSec can encrypt, authenticate and provide protection against a replay attack. CET does not provide for a Public Key Infrastrucutre (PKI) and thus if you had 100's of sites to connect, CET could become an administrative nightmare. On the other hand, IPSec does provide for a PKI which can ease administrative burdens, but can give you a whole different set of problems. For example, who administers the Certificate Authority server and where do they get their authority. This is important if it is an Extranet VPN. In an Intranet VPN this is not nearly as important since most Companies can inherently trust themselves (notice I said MOST not ALL ;-). CET is fairly simple to setup, especially since it only encrypts your data streams. IPSec, has a tremendous amount of flexibility and as we all know the more flexibility a technology has, the more complicated it gets. IPSec can take a while to understand all of the underlying technology, but it can give you an extremely secure environment. Personally, assuming that: 1) We want a simple Intranet VPN protecting our data crossing the public Internet 2) We aren't protecting trade secrets worth millions of dollars 3) There are no plans on increasing the number of VPN connections I would go with a GRE tunnel with CET. If any of the above criteria aren't met I would go with IPSec. HTH, AQ At 08:46 AM 11/23/00, Liwanag, Manolito wrote: I have a remote site that I want to connect to our central site that has a PIX. I was thinking of using IPSec with context based access control. But I was wondering if GRE is just as good ? ( to Qualify - reliable, easy to set up, secure and can handle plenty of tunnels) Can anyone advise ? Manolito _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** Adam Quiggle Senior Network Engineer MCI Worldcom/BP Amoco [EMAIL PROTECTED] ** _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: GRE VS. IPSEc
Great explanation!!! Adam Quiggle. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Adam Quiggle Sent: Thursday, November 23, 2000 1:13 PM To: Liwanag, Manolito; 'Cisco Group Study' Subject: Re: GRE VS. IPSEc Liwang, You aren't comparing apples to apples in your questions. Let me see if I can shed some light on the subject. IPSec is a VPN technology that is responsible for securing a data stream between two VPN peers. It does not provide multi-protocol support, so if you need to transport anything other than IP, you will need to use a GRE tunnel. (assuming you only connect to the outside world using IP) A GRE tunnel does not provide any security. It is a tunneling protocol that can give you the illusion that two tunnel interfaces are connected together. You can then set attributes within those two tunnel interfaces as if you they are directly connected to each other (not everything, but most everything). Thus, GRE tunnels do provide multi-protocol support. In order to determine which technology would be best suited for your needs, your VPN business case should provide you with answers to the following questions: 1) Are there just two sites that need to be connected together? (i.e. are there plans for a large scale deployment?) 2) Do you need encryption? 3) Do you need authentication? 4) Do you need to protect against a replay attack? 5) Who are you protecting your data from? Cisco Encryption Technology (CET), which is frequently used with GRE tunnels, is a precursor to IPSec and has been available since IOS 11.2. While there are similarities between IPSec and CET, they do not provide the same functionality. This is why I asked the previous questions. CET can only encrypt your data streams, while IPSec can encrypt, authenticate and provide protection against a replay attack. CET does not provide for a Public Key Infrastrucutre (PKI) and thus if you had 100's of sites to connect, CET could become an administrative nightmare. On the other hand, IPSec does provide for a PKI which can ease administrative burdens, but can give you a whole different set of problems. For example, who administers the Certificate Authority server and where do they get their authority. This is important if it is an Extranet VPN. In an Intranet VPN this is not nearly as important since most Companies can inherently trust themselves (notice I said MOST not ALL ;-). CET is fairly simple to setup, especially since it only encrypts your data streams. IPSec, has a tremendous amount of flexibility and as we all know the more flexibility a technology has, the more complicated it gets. IPSec can take a while to understand all of the underlying technology, but it can give you an extremely secure environment. Personally, assuming that: 1) We want a simple Intranet VPN protecting our data crossing the public Internet 2) We aren't protecting trade secrets worth millions of dollars 3) There are no plans on increasing the number of VPN connections I would go with a GRE tunnel with CET. If any of the above criteria aren't met I would go with IPSec. HTH, AQ At 08:46 AM 11/23/00, Liwanag, Manolito wrote: I have a remote site that I want to connect to our central site that has a PIX. I was thinking of using IPSec with context based access control. But I was wondering if GRE is just as good ? ( to Qualify - reliable, easy to set up, secure and can handle plenty of tunnels) Can anyone advise ? Manolito _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** Adam Quiggle Senior Network Engineer MCI Worldcom/BP Amoco [EMAIL PROTECTED] ** _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GRE VS. IPSEc
Excellent reading ! Adam Quiggle [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Liwang, You aren't comparing apples to apples in your questions. Let me see if I can shed some light on the subject. IPSec is a VPN technology that is responsible for securing a data stream between two VPN peers. It does not provide multi-protocol support, so if you need to transport anything other than IP, you will need to use a GRE tunnel. (assuming you only connect to the outside world using IP) A GRE tunnel does not provide any security. It is a tunneling protocol that can give you the illusion that two tunnel interfaces are connected together. You can then set attributes within those two tunnel interfaces as if you they are directly connected to each other (not everything, but most everything). Thus, GRE tunnels do provide multi-protocol support. In order to determine which technology would be best suited for your needs, your VPN business case should provide you with answers to the following questions: 1) Are there just two sites that need to be connected together? (i.e. are there plans for a large scale deployment?) 2) Do you need encryption? 3) Do you need authentication? 4) Do you need to protect against a replay attack? 5) Who are you protecting your data from? Cisco Encryption Technology (CET), which is frequently used with GRE tunnels, is a precursor to IPSec and has been available since IOS 11.2. While there are similarities between IPSec and CET, they do not provide the same functionality. This is why I asked the previous questions. CET can only encrypt your data streams, while IPSec can encrypt, authenticate and provide protection against a replay attack. CET does not provide for a Public Key Infrastrucutre (PKI) and thus if you had 100's of sites to connect, CET could become an administrative nightmare. On the other hand, IPSec does provide for a PKI which can ease administrative burdens, but can give you a whole different set of problems. For example, who administers the Certificate Authority server and where do they get their authority. This is important if it is an Extranet VPN. In an Intranet VPN this is not nearly as important since most Companies can inherently trust themselves (notice I said MOST not ALL ;-). CET is fairly simple to setup, especially since it only encrypts your data streams. IPSec, has a tremendous amount of flexibility and as we all know the more flexibility a technology has, the more complicated it gets. IPSec can take a while to understand all of the underlying technology, but it can give you an extremely secure environment. Personally, assuming that: 1) We want a simple Intranet VPN protecting our data crossing the public Internet 2) We aren't protecting trade secrets worth millions of dollars 3) There are no plans on increasing the number of VPN connections I would go with a GRE tunnel with CET. If any of the above criteria aren't met I would go with IPSec. HTH, AQ At 08:46 AM 11/23/00, Liwanag, Manolito wrote: I have a remote site that I want to connect to our central site that has a PIX. I was thinking of using IPSec with context based access control. But I was wondering if GRE is just as good ? ( to Qualify - reliable, easy to set up, secure and can handle plenty of tunnels) Can anyone advise ? Manolito _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ** Adam Quiggle Senior Network Engineer MCI Worldcom/BP Amoco [EMAIL PROTECTED] ** _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
