1. Home
  2. Cisco Systems
  3. vpn tunel security

vpn tunel security

we have vpn corporate network with cisco/1721 and cisco/805 routers over the internet since it is quite old equip, can somebody advice how secure are those tunnels going over internet today?

as i understand, they depends on secret preshared key of certain bit-length with dramatical computational power rising, is there danger that somebody on the net my break the security of those vpn tunnels, either in reading the data, or even injecting something into the stream

so, do i need to worry, or these routers and their vpn settings are still safe?

thnx

Reply to
sali
Loading thread data ...

The only real vunerabilty on a VPN tunnel is whats called a man in the middle attack. That would have to happen at one of the 2 physical locations or at one of the pops that that the traffic passes thru. A "user" that is simply on the internet cannot simply break in to your tunnel. There are lots of other things you should be worried about besides the tunnel. Both pieces of equipment are EOL/EOS which means they are running out dated software that most certainly has vunerabilites. I'd be more worried about that than the tunnel!

Reply to
Brian V

well, they were payed quite expensive, and for many years they work quite well [we have simply star topology, with static routes, no dynamic connection comming from outside]

since they are outdated eol/eos, does it mean they have to be replaced with new [also expensive] ones, or we can simply wait untile some of them experience some fatal hw shock, and be replaced then?

i am in the process of interrogating my network and trying to estimate potential treats and cost analysis

any experience and advice is helpfull thnx

Reply to
sali

"sali" wrote in message news:fifob5$66n$ snipped-for-privacy@ls5.tel.net.ba...

Please dont top post, it makes it very difficult for people to read and respond to the threads. A simple "Star" topology would be refering to a private infrastructure, not a publically facing VPN setup. If by star you are refering to the VPN tunnels that you have then yes, without question you should be running modern updated equipment running current software. As attack signatures and vulnerabilities are introduced vendors bring out updated software to address those attacks. On your out dated equipment those vulnerabilites still exist and can be exploited. Internal routers are a different story in my opinion, those can run "older" software as they are not public facing and do not face the same exploits that edge routers face. You comment on equipment being "expensive", I beg to differ. Equipment these days is very reasonably priced. A modern 2801 router probably costs less than you paid for the 1700 series you have. What is the cost of your corporate private information, what would it cost you if your customer information was stolen? Is it worth more than the couple grand you'll pay for a new edge router? If so, then you have your answer already. In addition to that, VPN should never be run from the edge router, it should be being run from a corporate firewall or dedicated VPN appliance. Edge internet routers should be doing simple filtering, anti-spoofing, simple expoit stuff to keep the load off the firewall. A properly designed and implemented network edge may be much more reasonably priced than you think.

Reply to
Brian V

"Brian V" je napisao u poruci interesnoj grupi:6sednWDi-opzCdbanZ2dnUVZ snipped-for-privacy@comcast.com...

thnx for your suggestions. they can help me to present a maintenance and upgrade costs to my management [as they are allwasy "cutting" the costs].

Reply to
sali

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.