I've bought some new toys for the network! I've got a fairly drastic perimeter redesign coming up in the next week or two to implement this stuff. Ultimately, my goal is to provide VPN access to everyone by the end of the year. Nothin' says sexy like a 256-bit AES VPN connection!
I haven't taken pictures of the new gear yet, so forgive the stock/borrowed pics:
First up, I bought this AIM-VPN/HPII-Plus card for my existing router. Cisco made a total of nine encryption cards for the 3745 router, of which this is the most powerful and feature-rich. It will allow me to support AES VPN tunnels in 128-bit and 256-bit flavors.
These bad boys will become the core of my network security strategy. These are Cisco PIX 525 firewalls that operate as a failover bundle. I've maxed them out with 512MB of PC100 ECC SDRAM and have upgraded them with the latest OS and management software.
In addition to maxing out the RAM, I've added five more network interfaces to each PIX along with this bad boy. The Cisco PIX-VAC-PLUS serves a similar role to the AIM-VPN/HPII-Plus above and offloads encryption duties from the CPU. It increases the VPN throughput of the PIX 525 from 30Mbps to ~145Mbps.
For intrusion prevention, I picked up a Cisco IDS 4215. This device sits inline and monitors all traffic that passes through the network, looking for known-bad traffic. Think of it as network-based antivirus/anti-malware/etc. device that also looks for attack signatures (hacking attempts, port scanning/reconnaissance/etc).
Finally, I picked up this bad boy to terminate VPN connections. It's a Cisco 3030 VPN concentrator. Fully loaded, it is capable of supporting up to 10,000 VPN connections. Somehow, I don't think we'll need quite that many.