On Fri, 2002-08-02 at 12:13, [EMAIL PROTECTED] wrote: > In theory, this is a great idea. However, keep in mind that: > > Security = 1/productivity > In many corporate situations, especially engineering environments, > the implementation of a VPN would get in the way of development.
There are some good performance studies for FreeS/WAN and other implimentations at http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/performance.html I'm not saying that there is *no* overhead, just that in a LAN environment it is not a major factor. But again, it all comes down to: What is the company willing to do to protect their data. > For instance, my current environment is co-located between the US and > Belgium. The folks in Belgium require direct access to our lab here, > and vice-versa. Additionally, both groups require direct access to > central corporate servers. A lot of what's going on requires high > performance connectivity with as little latency introduced as > possible. Placing a VPN client on some of these systems would > automatically get in the way of a lot of the testing that is done. You don't need to put a VPN client on the systems in a case like this. You put a gateway at each end, and authenticate/encrypt/route on the gateway. The users at either end most likely wouldn't even notice. > As a result, there aren't even virus scanners on a lot of the systems > in the labs. And, since the labs need direct access to corporate > servers, the labs often become breeding grounds for virii. You can get network virus scanners for routers now.... I don't pretend to know anything about their usefulness, though. > A proposal was made to VPN off all the labs, which would prevent a virus > from escaping since the virus couldn't authenticate with the VPN, > however, it was determined that there are no VPN servers at this time > which will not slow down a GigE connection, which is required for a > lot of the stuff going on here. > > (of course, since we only have a 2MB connection to Belgium, I don't > see why the GigE thingy is a requirement for *our* situation :) If you require GigE, but only have a 2MB connection, then security isn't the problem... *MATH* is!! ;-) > Also, as Ben pointed out, just because all the traffic between hosts > is now encrypted, that doesn't prevent someone from using a box to > internally probe your network looking for ways out. > > Once you're in, you're in, and if you can use that internal system to > create a conduit you can get into from the outside, all bets are off! In the scenario that I proposed, the traffic between hosts isn't just encrypted, it is also authenticated through a central gateway. If you put a box on the network, it will hit that gateway and stop, since there is no way out without authenticating. C-Ya, Kenny -- ---------------------------------------------------------------------------- "Tact is just *not* saying true stuff" -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0 ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************