3

I have a dedicated T1 line that runs between my office and my data center. Both ends have public IP addresses.

On both ends, we have AdTran T1 routers which connect to SonicWall firewalls.

The SonicWalls do a site-to-site VPN and handle the network translation, so the computers on the office network (10.0.100.x) can access the servers in the rack (10.0.103.x).

So the question: can I just add a static route to the SonicWalls so each network can access each other with out the VPN? Are there security problems (such as, someone else adding the appropriate static route and being able to access either the office or the datacenter)? Is there another / better way to do it?

The reason I'm looking at this is because the T1 is already a pretty small pipe, and having the VPN overhead makes connectivity really slow.

--

Clarifications (thanks for the answers so far):

The stumbling block for me is that the T1 has a public IP address. If I set up a route on at the office that says "you can find the gateway for 10.0.103.0 at 200.X.Y.Z", can some dude on the internet also set up the same route and also be able to access my 10.0.103.0 network?

With the VPN, I know it's not possible because there are authorization protocols which prevent outside people from getting in.

Alternatively, I guess the question is "What is the correct way to route between two remote networks over a T1 line?"

The T1 in question has a physical endpoint in my office, and another physical endpoint somewhere at the datacenter, but again, the IP address is public.

I'm not concerned that the telco or datacenter people are sniffing my passwords (if they were, that would sure suck, but that situation is above my paranoia threshold :).

Seth
  • 646
  • 2
  • 6
  • 17
  • You forgot to mention a pretty important bit of information: Is this a normal or a P2P circuit? – jamieb Mar 20 '10 at 02:50
  • How slow? I am not familiar with SonicWall but it seems to me that most current enterprise firewalls can run a point-to-point VPN over a T1 without even lifting a finger. Our WatchGuard boxes are rated for 260 Mbps VPN throughput, and they're by no means expensive as firewalls go. Unless your firewalls are obsolete or misconfigured, I doubt that they are causing performance issues on something as slow as a T1. – Skyhawk Apr 16 '10 at 13:35

5 Answers5

3

What do you mean by "need"? It's probably pretty safe but not 100% safe. Do you have a physical dedicated copper wire between them? Don't think so. Probably just two T1s that then go via your provider's network with dedicated bandwidth. So somebody on the provider's network can intercept your data. So if this is really sensitive the answer is no.

MK.
  • 292
  • 1
  • 4
  • 12
  • Depends on your level of paranoia. I ran one without encryption for a long time, and never gave it another thought. I was under the assumption that my provider didn't care about my traffic (99% of which was encrypted, due to running rsync over ssh tunnels) anyway. – Matt Simmons Mar 19 '10 at 23:37
0

Depending on the model of Cisco Routers and whether they are up to date with latest IOS. Hire a Cisco admin to configure the Routers correctly and you'll be able to eliminiate the Sonicwalls all together.

All you need is a hardened ACL and routing configured correctly.

but, VPN traffic shouldn't slow down the connection that much, i'd start testing for dropped traffic and see if you are being attacked.

Tom
  • 745
  • 3
  • 9
  • Thanks, but the T1 routers aren't made by Cisco (they're AdTrans). We also don't have any packet loss, and aren't being attacked. VPNs are at least 10-15% overhead, not to mention the extra latency. That might not be much, but it's not a very big pipe to begin with. – Seth Mar 19 '10 at 20:31
  • I wish I could say I know adtran routers, but, i'd be surprized if you cant do the same thing, Routing and a hardended ACL. Good Luck – Tom Mar 19 '10 at 20:49
0

do you trust your telco?

do you trust you own network?

Encryption costs latency?

How sensitive is the data?

What data is flowing over the T1 line? and why?

what are you trying to protect and who from?

if you start using encryption, can you troubleshoot if it goes wrong?

The Unix Janitor
  • 2,388
  • 14
  • 13
0

When you send data over the Internet you are risking having someone intercept the data. What you should be really asking is whether the company considers it's data confidential ?.

If not then remove the VPN, don't expect a big boost if you do.

You could also see if your company can afford a cable or DSL line, it can help reduce the load. Good luck!.

Luis Ventura
  • 948
  • 1
  • 8
  • 14
0

Sounds, simple Routers/firewalls should have VPN accelerator hardware built in.

and to be honest sonic firewalls worry me a bit,

have you ever considered cisco ASA or a higher quality firewall unit.

I think that will be where the improvement is made.

the inside workings of the unit are what is causing your problem with vpn throughput.

Eric.