IPSec Security



  • We've recently purchased several pfSense firewalls to deploy to our remote facilities.  Most of the new firewalls are model SG-2440.  Most of the facilities are small (10 users or less) with adequate bandwidth (3mb or better).

    The old, remote firewalls typically used:  3DES for encryption, SHA1 hash, PFS Key Group of 5.  Really, just basic security.

    I'd like to create a more secure tunnel but I have no real idea of how an increase in security may impact performance.  Any insight that might move me to a reasonable compromise would be much appreciated.

    I'm considering AES192 or 256 for encryption, AES-x to HASH, and I'm really not sure on the PFS Key.  Thanks in advance.

    Miles



  • I'm considering AES192 or 256 for encryption, AES-x to HASH, and I'm really not sure on the PFS Key.  Thanks in advance.

    IPSec with AES-GCM and then start first at AES128 and more if you will need it to see how great it works.



  • Guten Tag!

    Thanks for the help.  I have no support at the remote sites, so if I get this wrong and need to change it-it could be very difficult.

    You'd try AES128 for encryption to start?  I will consider that.  AES over blowfish?  HASH?  Any thoughts on PFS Key Group?  I really do not know how changes in these methods will effect speed in a LIVE environment.



  • PFS keygroup 2 (1024bit) is rumored to be possible to break with NSA like budget. The PFS keygroup 5 should be fine as of now, higher PFS groups get really slow. For the symetric ciphers like 3DES and AES128 there is no real world break known, but as AES128 should be faster than 3DES you should use AES. The hash does not matter as it is used for integrity check to my knowledge, at least if you are not using preshared key which you should not do.

    Regards

    Andreas


Log in to reply