|
|
In article <1130713495.544456.229670@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
millsusaf <ebrianmills@xxxxxxxxx> wrote:
:I am sorry, I was trying to convey that all VPN tunnels should be wide
:open to anything on the network. As for the family accounts, I also
:want them to be wide open to the network. Two accounts would be fine,
:"FamilyA" and "FamilyB".
Will the family accounts also be using the Cisco VPN client? Or will
they be using Microsoft's client (PPTP) ? What is *your* security policy
on whether the family should be able to use their systems to talk to
other sites (e.g., yahoo IM) at the same time as they are communicating
with your systems? It is more convenient to them if they can connect
to you and do other things at the same time, but the risk to you is
higher: their systems might be under remote control, so if they are
allowed to communicate with another system at the same time they
are communicating with your network, -potentially- their systems could
be used to compromise your system (especially since you don't want
any restrictions on what they can connect to inside your network.)
:Once I upgrade the Pix to 6.3(5), I definitely want the AES.
AES came in in 6.2; you do not need an upgrade for it.
:Is the
:policy 7's for AES and the 10's for the old MD5?
There are two layers for IPSec encryption, "Phase 1" and "Phase 2".
The isakmp policy statements control "Phase 1" encryption, which
has to do with the process of negotiating shared session keys.
"Phase 2" encryption is for the data traffic, and that is controlled
by the crypto map set transform-set . The mysetAES transform
set is there to use AES-256 for Phase 2.
The choice is not, by the way, AES vs MD5, but rather
AES vs DES (or 3DES), and MD5 vs SHA. MD5 is weaker than SHA
(even taking into account the known issues with each).
AES-256 is a 256 bit encryption; AES-128 is a 128 bit encryption;
3DES turns out to only be 112 bit encryption (not 168 like it
might sound); DES is 56 bit encryption. AES is a simpler algorithm
and runs about half again as fast on the PIX 501 as 3DES does.
I'll put together the config changes later... it appears to be my
turn to cook.
--
Is there any thing whereof it may be said, See, this is new? It hath
been already of old time, which was before us. -- Ecclesiastes
|
|