I have a dedicated T1 line that runs between my office and my data center. Both ends have public IP addresses.
On both ends, we have AdTran T1 routers which connect to SonicWall firewalls.
The SonicWalls do a site-to-site VPN and handle the network translation, so the computers on the office network (10.0.100.x) can access the servers in the rack (10.0.103.x).
So the question: can I just add a static route to the SonicWalls so each network can access each other with out the VPN? Are there security problems (such as, someone else adding the appropriate static route and being able to access either the office or the datacenter)? Is there another / better way to do it?
The reason I'm looking at this is because the T1 is already a pretty small pipe, and having the VPN overhead makes connectivity really slow.
--
Clarifications (thanks for the answers so far):
The stumbling block for me is that the T1 has a public IP address. If I set up a route on at the office that says "you can find the gateway for 10.0.103.0 at 200.X.Y.Z", can some dude on the internet also set up the same route and also be able to access my 10.0.103.0 network?
With the VPN, I know it's not possible because there are authorization protocols which prevent outside people from getting in.
Alternatively, I guess the question is "What is the correct way to route between two remote networks over a T1 line?"
The T1 in question has a physical endpoint in my office, and another physical endpoint somewhere at the datacenter, but again, the IP address is public.
I'm not concerned that the telco or datacenter people are sniffing my passwords (if they were, that would sure suck, but that situation is above my paranoia threshold :).
What do you mean by "need"? It's probably pretty safe but not 100% safe. Do you have a physical dedicated copper wire between them? Don't think so. Probably just two T1s that then go via your provider's network with dedicated bandwidth. So somebody on the provider's network can intercept your data. So if this is really sensitive the answer is no.
Depending on the model of Cisco Routers and whether they are up to date with latest IOS. Hire a Cisco admin to configure the Routers correctly and you'll be able to eliminiate the Sonicwalls all together.
All you need is a hardened ACL and routing configured correctly.
but, VPN traffic shouldn't slow down the connection that much, i'd start testing for dropped traffic and see if you are being attacked.
do you trust your telco?
do you trust you own network?
Encryption costs latency?
How sensitive is the data?
What data is flowing over the T1 line? and why?
what are you trying to protect and who from?
if you start using encryption, can you troubleshoot if it goes wrong?
When you send data over the Internet you are risking having someone intercept the data. What you should be really asking is whether the company considers it's data confidential ?.
If not then remove the VPN, don't expect a big boost if you do.
You could also see if your company can afford a cable or DSL line, it can help reduce the load. Good luck!.
Sounds, simple Routers/firewalls should have VPN accelerator hardware built in.
and to be honest sonic firewalls worry me a bit,
have you ever considered cisco ASA or a higher quality firewall unit.
I think that will be where the improvement is made.
the inside workings of the unit are what is causing your problem with vpn throughput.
Eric.