Securing a hardware VPN

[Maverick2002]

We recently kicked Hamachi to the curb because of connectivity issues and established a hardware VPN between two office networks. It's all running great, but I'm a little confused by all the encryption settings. My options are:

DES
3DES
AES-128
AES-192
AES-256

(for Phase 1 and Phase 2)

... along with some preshared key. We want to have a good mix of performance and security. I'm told that higher levels of encryption (like AES-256 which is probably overkill for us) will noticeably slow down network performance. Yes/no?

 

[spidey07]

What's the hardware? The encryption actually should be done in hardware (on a chip) and you won't notice any performance hit until you get to massive traffic loads, depending on what you're using.

 

[ihyagp]

For the amount of data you're likely to see going through a VPN, nothing is really going to be slower than anything else unless the hardware is extremely slow. 3DES is probably the most computationally intensive though, depending on hardware.

I'd go with AES-128. Some new issues with the key scheduling on the 192 and 256 bit variants are showing up that don't affect AES with a 128 bit key.

http://www.schneier.com/blog/a...7/another_new_aes.html

 

[Emulex]

AES-256 should not if all of your devices (say if you have teleworkers vpn in as well) have hardware asic that can do aes-256.

kinda like how most 802.11n routers suck balls at WEP because they ditched the hardware to deal with WEP and went with AES hardware. so the cpu has to do WEP in software lagging the heck out of the cpu.

if it was two pc's acting as a vpn (not uncommon, like a dell CR100 oem) i'd say AES-256 very much within the reason of a celeron 440 with a single connection.


now load up 200 teleworkers on that ; with vlan and firewall rules for each. could require a bump up to a core 2

 

[JackMDS]

Unless you run a Banking Service, Security Agency, or something else that is highly desirable among Hackers, AES 128 is all you need.

 

[Maverick2002]

We're using a couple Cisco RV042's - http://www.newegg.com/Product/...E16833124160&Tpk=rv042

The VPN tunnel is for constant offsite backup (running continuously), the speed of which is limited by our internet connection. We just want something secure and fast.

 

[Cooky]

no offense, but this is actually Linksys, not Cisco.

 

[Maverick2002]

Ok, Linksys, Cisco, whatever. So which is going to be the most ideal for our situation?

 

[seepy83]

Originally posted by: Maverick2002
Ok, Linksys, Cisco, whatever. So which is going to be the most ideal for our situation?

Personally, I would just try AES-256 and see if you have any performance problems. If it performs poorly (and assuming that you don't have any Regulations that you need to comply with), you can rebuilt it with something lower (192 or 128 maybe) and see how that works.

 

[RebateMonger]

Why not just try a couple of encryption settings and do some file transfers, testing the transfer rate? I doubt you'll find any significant differences, but you can do some quick tests to see if the transfer numbers are in the ballpark of each other.