| Mike Drechsler - SPAM PROTECTED EMAIL 2005-08-26, 5:47 pm |
| Vince wrote:
> Mike D., hopefully you can answer this one for me:
>
> I received 1 of my 3 Netopia 3386-ENT routers yesterday (2 are
> backordered - they seem to be constrained right now), and I'm digesting
> the documentation and familiarizing myself with the telnet interface. I
> have a question about the IPSec w/IKE configuration. In Netopia's
> documentation, they "strongly" recommend have the "VPN accelerator card
> option" if I choose 3DES instead of DES for the encryption. I assume
> this was in reference to the older R-series routers which had that
> option. My question is, what can I expect to lose as far as
> performance if I go with 3DES, given that the 3386 doesn't have the
> built-in accelerator like the 4000 series? Is the gain in security
> enough to justify the drop in performance? (I know my mileage will
> vary, I'm more interested in the experience of others - keep in mind it
> will be primarily RDP traffic passing over the VPN links)
>
> As always, any insight is appreciated.
It's not likely that you would see a drop in performance at all
depending on how fast your WAN connection is. For most cable and DSL
speed connections the unit is able to encrypt data faster than the
upstream WAN speed of the connection.
The manuals are obviously adapted from the original R series. That's
where the incorrect info is coming from.
Your connection would be safe from low level attack with just DES but it
is not great. A hacker could spend the time to crack this level of
encryption with brute force methods though I do not know of any easily
automated tools to do this against IPSEC sessions so you would not
likely see a widespread level of attack. It would require someone very
dedicated and knowledgable with a very clear desire to breach the
communications systems of your network. The time element for a hacker
to breach this level of encryption is measured in weeks with standard
equipment and days with specialized equipment such as the DES cracker
hardware build by the EFF for the RSA DES challenge:
http://www.eff.org/Privacy/Crypto/C...isc/DESCracker/
Even though the RDP protocol is encrypted, I don't this it would help
slow a hackers ability to decrypt a DES packet. They would likely look
for TCP Header information to tell if they have guessed the correct key.
One other point. The way that IPSEC works, there are actually 2
separate encryptions happening. The phase 1 connection is made with
slightly different encryption algorithms, this layer of encryption is
slower to process so they just use it to exchange symetric DES keys
which can be encrypted and decrypted faster for the phase 2 connection.
The hacker would need to know the encryption key for the phase 1
transaction to be able to establish a new spoofed connection. Just
knowing the DES key would give him the ability to decrypt packets in
that particular session but when the phase 1 connected is renegotiated,
those keys are changed.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
|