Recent industry studies reveal that many customers open up firewalls to access their cloud platforms without adhering to proper security policies and procedures. This oversight exposes businesses to significant risks, potentially causing irreparable damage or years-long recovery periods from security breaches. Applying intrusion detection and prevention rules without establishing fundamental security measures increases security maintenance costs.
Since 2004, Vast Edge has been helping companies secure their businesses by following proven security policies and procedures, using industry-standard tools and methods.
Recommendations for Secure Data Transfer
Vast Edge recommends using a combination of IPSec (Internet Protocol Security) and Dynamic VPN to ensure secure data transfer. This combination encrypts the entire IP traffic before the packets are transferred from the source to the destination, enhancing security.
Benefits of IPSec VPN Site-to-Site Tunnels
Cost-Effective
Utilizes telecommunication lines, eliminating the need for dedicated, expensive leased lines.
Privacy
Hides internal IP addresses from external users.
Security
Encrypts all communication between the source and destination sites.
Key Considerations
- Tunnel Mode: Oracle Cloud Infrastructure supports only tunnel mode for IPSec VPNs.
- Permissions: Appropriate permissions are required to configure IPSec.
- Routing Protocol: Border Gateway Protocol (BGP) is not supported for Oracle IPSec VPN.
- Static Routes: After setting up the IPSec VPN, you cannot edit or expand the list of static routes. To change them, you must delete and recreate the IPSec connection.
- Asymmetric Routing: Oracle uses asymmetric routing across multiple tunnels. Configure your firewalls to accommodate this, ensuring reliable ping tests and application traffic.
IPSec VPN Components
- CPE Object:
A virtual representation of your actual router in your on-premises network, containing basic information like IP address.
- Dynamic Routing Gateway (DRG):
A virtual router at Oracle's end that acts as the gateway from your on-premises network to your VCN. After creating a DRG, attach it to your VCN and add route rules. The DRG can be detached and reattached as needed.
- IPSec Connection:
Connect the CPE object and DRG by creating an IPSec connection, resulting in multiple redundant IPSec tunnels. Configure your on-premises router to support all tunnels for redundancy.
- Access Control:
Configure access control by specifying compartments for each component or placing all components in the same compartment as the VCN.
- Component Names and Identifiers:
Optionally assign descriptive names to each component for easier management.
- Static Routes:
Specify one or more static routes for the network that needs to communicate with the VCN when creating the IPSec connection.
Setting Up an IPSec VPN
- Create Your VCN:
➤ Create a Virtual Cloud Network (VCN).
- Create a DRG:
➤ Create a Dynamic Routing Gateway.
- Attach the DRG:
➤ Attach the DRG to your VCN.
- Create Route Table and Rules:
➤ Create a route table and add route rules for the DRG.
- Create Security List and Rules:
➤ Define a security list and the necessary rules.
- Create a Subnet:
➤ Create a subnet in the VCN.
- Create a CPE Object:
➤ Provide your router's public IP address.
- Create an IPSec Connection:
➤ From your DRG, create an IPSec connection to the CPE object and specify static routes.
- Configure Your CPE:
➤ Include general information about the VCN and specific information for each IPSec tunnel.
- Validate the Connection:
➤ Ensure the connection is properly configured and functional.
About Vast Edge
Founded in 2004, Vast Edge is a leading IT consulting company and global service provider specializing in business intelligence, big data analytics, cloud ERP, IoT platforms, enterprise backup, disaster recovery, blockchain, Cassandra, AI/ML, and integration solutions. We focus on application modernization, continuous change management, and implementing advanced project development methodologies.
Get a free assessment from our cloud experts to secure your cloud environment effectively.