Category Archives: Security

Remote Access and Site to Site VPN

During my career i have been able to deploy a number of VPN configurations to help support a corporate environment.

I was able to deploy Remote Access VPN services using Cisco VPN3000’s and then later Cisco ASA (eg. 5515X, 5525, 5585 models) to suit the requirements of the corporate environment. I was also able to utilize ASA’s to do Site-to-Site VPN to allow sharing sensitive corporate and medical information between organizations while maintaining security of both the corporate environments.

I have experience with software VPN products such as OpenVPN. OpenVPN was an excellent solution for out of band connectivity as there is good hardware and OS support. I used it to get OpenGear terminals to connect to a cloud VPS running OpenVPN for accessing terminals when a network disaster happens. I have established CA’s when using OpenVPN for certificate based authentication of users and terminals.

WiFi – Centralized infrastructure

Wireless has become an essential access medium, but it has been a headache to manage on a larger scale. I got involved with migrating access points from autonomous access points to being centrally managed when the company i was working for deployed 802.1x wireless authentication to try and get rid of an older web based authentication. At that point we only had about 200 Ap’s, but it was decided that changing them to lightweight, and using central controllers was the way to go. We ended up deploying two Cisco WiSM1 modules (second was for redundancy) and connecting them up to the central authentication services (LDAP, Kerberos, AD) via a Radius server (radiator).

The wireless network grew very quickly after that, and soon i was tasked with building a fully redundant central wireless module. I deployed two Cisco 6509’s in VSS configuration, each had two Supervisors, one 10Gb module and 5 WiSM2 modules, the last slot was reserved in case of failure so we could swap cards if needed. The WiSM2 modules were initially installed as stand alone, but were later run in AP-SSO mode to ensure our clients got the highest level of service. Fortigate firewalls were installed to provide content filtering and guest access, i used two of the 800C model in HA mode. Multiple VDOM’s were used on the fortigate to allow easy deployment of networks for guest companies on site, this was coupled with VRF light on the Cisco VSS MLS allowing great flexability.

This was coupled with freeradius (to proxy requests) and later Cisco ISE to offer the complete BYOD solution.