Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > VPN: Site to Site and Remote Access
Reload this Page Best Practice - Site to Site using Astaros
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-17-2010, 05:03 PM
Junior Member
  
Join Date: Mar 2009
Posts: 7
Arrow Best Practice - Site to Site using Astaros
What is the best encryption / IPSec policy to use for Site to Site with 2 Astaros?

We have 2 Astaro units, ASG120 and ASG320. Currently using CiscoMatch policy, adopted from when we previously had a Cisco firewall at the remote location. I'm very concerned about performance, but need to keep security in mind. We do quite a bit of RDP traffic, as well as some file syncing over this site to site VPN.

Appreciate your best practice / thoughts !!!!


Del
Last edited by Dawley; 02-17-2010 at 07:49 PM.
Reply With Quote
  #2 (permalink)  
Old 02-17-2010, 07:00 PM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 6,624
Default
I think the fastest is AES-128. The trade-off is that it's a lot easier to crack than AES-256 PFS, but I think even AES-128 is acceptable for the Payment Card Industry standard. 3DES is more-secure than AES-256, but at a real performance penalty. It depends on how "attractive" your information is.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Last edited by BAlfson; 02-17-2010 at 07:15 PM.
Reply With Quote
  #3 (permalink)  
Old 02-17-2010, 10:51 PM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,885
Default
not according to what i have read. There are wlel known(for over a decade) faster than vrute force attacks against DES and 3DES...this is the ve3ry reason AES was launched and the Rijndael cipher. As of now the Rijndael has help up wlel considering hte computational power of desktop computers today. I'm sure we'll see another "AES" competition within the next 5-10 years.

Schneier on Security: New Attack on AES
Schneier on Security: Another New AES Attack
http://www.networkworld.com/research...0730feat2.html

Just a few of the articles I have read..
__________________
50 user home license:ASL 7.5x p-4 celey 2.53 2 gigs ram 80 gig hdd intel/3com nics

Astaro Authorized Reseller
Registered Microsoft Partner
Emmanuel Computer Consulting, L.L.C.
http://www.eccmd.com
Reply With Quote
  #4 (permalink)  
Old 02-18-2010, 01:52 AM
BAlfson's Avatar
Moderator
  
Join Date: Mar 2007
Location: Oklahoma City
Posts: 6,624
Default
Thanks, William. I thought 3DES was a bit stronger than AES-256, but I probably just assumed that because of the slowness. It seems that you are confirming that he can use AES-128 for speed and still have more-than-adequate security.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!
Reply With Quote
  #5 (permalink)  
Old 02-18-2010, 02:11 PM
Wizard
  
Join Date: May 2003
Location: Brunswick, Maryland, USA
Posts: 2,885
Default
That's correct..AES is more secure AND faster...
__________________
50 user home license:ASL 7.5x p-4 celey 2.53 2 gigs ram 80 gig hdd intel/3com nics

Astaro Authorized Reseller
Registered Microsoft Partner
Emmanuel Computer Consulting, L.L.C.
http://www.eccmd.com
Reply With Quote
  #6 (permalink)  
Old 02-22-2010, 08:33 PM
Junior Member
  
Join Date: Mar 2009
Posts: 7
Default
Thanks to both of you. I would love to see a best practices area on this user bulletin board that helps people get an idea of what to implement or at least they should be considering.

Again - Thanks!

Del
Reply With Quote
Reply

Tags
ipsec, performance, site to site, vpn

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 03:16 AM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.