[SunRescue] OT:VPN WAN's

Christopher Byrne rescue at sunhelp.org
Fri Feb 9 02:50:00 CST 2001 

Steve,

Okay there's a basic list of questions you need to answer here.

1. What's your budget
2. What are your security requirements
3. What are your administrative capabilities
4. How much throughput do you need
5. How many simultaneous sessions do you need to support
6. Do these need to be "always on" connections
7. How many users at each site
8. Do you want site-to-site or client-to-site VPN's, or both (for remote
access users for example)
9. What exaclty do you mean when you say it needs to support windows domian
authentication? do you want users to authenticate to the firewall using
their windows authentication information, or do you just want people to be
able to access domain resources transparently over this VPN. both are
available but the first is harder andmore expensive.

You can get on the cheap with an intel based box running a free *nix and
something like Free S/Wan . You can (and should)also set these boxes up as
firewalls, preferably running a stateful inspection package such as are
available for BSD, and nor for Linux with the 2.4 kernel. These have the
advantage of being relativley cheap, and fairly secure, but this way
requires a lot of administrative talent to start up, and a reasonable amount
of continuous administrative overhead as each machine is another full blown
*nix box that has to be administered.

You can go a litle more expensive and set up an NT/2000 box as a BDC, then
install something like the Network Associates/PGP server. this allows both
site-to-site and client-to-site VPN's. It's fairly easy to administer and
configure, but the performance is pretty low and it doesnt support a lot of
users or sessions simultaneously. The best thing about it is you can run it
on pretty much every desktop, laptop, server, whatever, and it's also
available for several unices. Now the reason I said set it up as a BDC is so
you can have clients authenticate to the VPN using their windows logon
information, btu I STRONGLY recommend you do not make any secure host,
especially oine that communicates with the outside world a member of a
windows domain, and especially not a PDC or BDC because if that host is
ocmpromised it's pretty much ovre for your network.
If you do go this way, please install a firewall between the internet and
your VPN server, and then allow ONLY the vpn traffic and DNS into that
system.

You aslo have as an option a dedicated VPN box like the Cisco (nee altega)
3000 VPN concentrator or other offerings from Nortel and lucent etc... These
boxes are 100% dedicated to running VPN's and are very good at it. They are
a moderate cost (starting point for the lower end boxes is around 3K, and
they go up into the 20k range). They almost all support both site-to-site
and client-to-site VPN's. They are also in general fairly simple to
administer and maintain. The disadvantage pf them is the same as the host
based VPN;s above, you need to have a seperate firewall in front of them for
security.


The next step up is an honest to god firewall/VPN solution from someone like
Checkpoint. They are currently starting at aroud $1000 for a limited
capability small office box, and can run anywhere up to $45,000 for a 25,000
simultaneous encrypted connection monster with redundant everything and
fully distributed management etc...

Also if you don't require very high performance netscreen has a pretty good
solution, startng at about $750 for a 10 user box, and going up from there
(all the way up to 189k for the so called gigabit solution that only does
400 megabits)

The advantages of this solution are many. THey offer both excellent VPN
capabilities and excellent seurity. They all offer site-to-site and
client-to-site VPN's and many different authentication and user management
methods, and they all have many other calue added features. The
disadvantages are primarily the cost, which for larger configurations can be
quite large, and the complexity of the systems. They definitley require a
knowledgable administrator to install and maintain them.

Now all I've done here is a scratch the surface overview, but I'd be glad to
talk mroe about this subject, either on listif people are interested or off
list.

Chris Byrne


-----Original Message-----
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of Hatle, Steven J.
Sent: Thursday, February 08, 2001 14:58
To: 'rescue at sunhelp.org'
Subject: [SunRescue] OT:VPN WAN's


All,

Pardon my digression, but I'd rather get the scoop from you guys than wade
through a bunch of sales droids.

Our company needs to put together a WAN encompassing 200 US cities. Mgmt.
would like to use the 'Net as our transport, instead of a frame-relay
network because of cost. A requirement of the WAN (frame or 'net) is to
support Windows authentication (PDC/BDC), management, software updates,
email, remote control, etc. No technical users would be at these sites- we'd
have to do a ton from here, so simplicity and supportability are key.

Are there viable VPN solutions to provide this functionality over the 'net?
Any hints, recommendations or commiseration is welcome.

TIA,

Steve

-----------------------------------------------------------------------
Steve Hatle
VUE - a Pearson company
shatle at vue.com
-----------------------------------------------------------------------
_______________________________________________
Rescue maillist  -  Rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue

More information about the rescue mailing list