Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Architecture for connecting multiple sites via VPN

To: "'Joel Turoff '" <[email protected]>, "'[email protected] '" <[email protected]>
Subject: RE: [FW1] Architecture for connecting multiple sites via VPN
From: Chris Arnold <[email protected]>
Date: Fri, 9 Feb 2001 09:34:44 -0500
Sender: [email protected]

Uh...that's probably not the best idea as it will double the number of
encrypted transactions as well as turn into a routing nightmare.

1.  Every connection from a remote site to another remote site will require
two encrypt/decrypt operations as opposed to only one if it were site to
site VPN.

2.  Manage your fule sets from an enterprise management console.  If you
have enough VPN and FW modules out there where you don't want to configure
them all by hand you can probably afford to the an EMC license.  This will
let you have different rule sets for different nodes, if this is the style
you prefer (as opposed to a huge monolithic rule set for all of your nodes)
as well as a common object base so defining your encryption domains will be
less of a burden.

3.  You would need to have quite a few static routes at the end points as
well as through your core network to get packets routed correctly.  If you
do site to site VPN, CP takes care of routing to the remote encryption
domains for you.

Chris


-----Original Message-----
From: Joel Turoff
To: [email protected]
Sent: 2/8/01 9:45 PM
Subject: [FW1] Architecture for connecting multiple sites via VPN


Greetings!

I am wondering what the best architecture is to connect multiple sites
together with a VPN.

I have four locations, and each needs to have a VPN into every other
site.
I know that I can certainly setup a VPN between every firewall, but this
loads down the rule base and isn't scalable.  Whenever I add another
site,
there will be numerous VPN's to configure.

Is there some way to create a central hub site and link all the sites in
this manner?   Traffic would travel to the hub encrypted, then there
would
be a short unencrypted hop to the next firewall, where it would then be
encrypted until reaching the destination network.

Is this sort of split-tunnel VPN possible with Checkpoint 4.1?  What
would
be the mechanism for routing the traffic at the hub between firewalls?
Is
it as simple as adding a few static routes on the firewalls?

Many thanks for any ideas or suggestions on where to find more
information
about this.

Joel


========================================================================
========
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
========


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] NT / Secure Remote with multiple adapters
Next by Date: Re: [FW1] More than 1 external subnets techniques
Previous by thread: Re: [FW1] Architecture for connecting multiple sites via VPN
Next by thread: RE: [FW1] Checkpoint and ControlIT(computer associates remote con trol software)
Index(es):
- Date
- Thread