In a message dated: 02 Aug 2002 12:39:34 EDT
"Kenneth E. Lussier" said:
>I'm not saying that there is *no* overhead, just that in a LAN
>environment it is not a major factor.
Whether or not it's a factor depends upon what type of delay is
introduced vs. what is acceptable, and the definitions of 'factor',
'major', and 'acceptable'. Oh, and we probably need to agree upon
what the definition of 'is' is just to be clear ;)
>But again, it all comes down to:
>What is the company willing to do to protect their data.
True. And in this particular instance, we can derive that from the
required use of: Win2K, Outlook, and Exchange :)
>> For instance, my current environment is co-located between the US and
>> Belgium. The folks in Belgium require direct access to our lab here,
>> and vice-versa. Additionally, both groups require direct access to
>> central corporate servers. A lot of what's going on requires high
>> performance connectivity with as little latency introduced as
>> possible. Placing a VPN client on some of these systems would
>> automatically get in the way of a lot of the testing that is done.
>
>You don't need to put a VPN client on the systems in a case like this.
>You put a gateway at each end, and authenticate/encrypt/route on the
>gateway. The users at either end most likely wouldn't even notice.
What would prevent a virus from spreading between the 2 locations
then? Since the tunnel is authenticated at the gateway level, it's
nothing more than a router for all intents and purposes, right?
What was proposed was not setting things up as you suggest, but
essentially setting up a firewall that each client/person would need
to authenticate against in order to access the non-lab corporate WAN.
So, not only would the users know, but performance *would* be
impacted at the client level, since they would require VPN client sw
installed on them.
>You can get network virus scanners for routers now.... I don't pretend
>to know anything about their usefulness, though.
Yeah, I heard they stop all incoming SPAM as well.
Hey, do know anyone that needs a bridge? I have a nice one right
between Queens and Brooklyn I'm looking to sell ;) Or, if you
prefer, I another on in the San Fran/Bay area!
>> (of course, since we only have a 2MB connection to Belgium, I don't
>> see why the GigE thingy is a requirement for *our* situation :)
>
>If you require GigE, but only have a 2MB connection, then security isn't
>the problem... *MATH* is!! ;-)
Well, keep in mind, we're not the only one's this proposal would
affect. Though the limiting connection between here and Belgium is
only 2MB, the Massachusetts buildings are all connected by OC48
trunks divided into multiple OC3 connections. So there well may be
some other group which has a GigE connection requirement between
multiple buildings on this side of the puddle :)
>In the scenario that I proposed, the traffic between hosts isn't just
>encrypted, it is also authenticated through a central gateway. If you
>put a box on the network, it will hit that gateway and stop, since there
>is no way out without authenticating.
Oh, okay. Either I missed that part of the explanation, or just
didn't understand correctly what you were proposing. That does make
a lot of sense, and would be a nice configuration. Hmmm, maybe I'll
play with that one of these days when I finish playing with FAI :)
--
Seeya,
Paul
--
It may look like I'm just sitting here doing nothing,
but I'm really actively waiting for all my problems to go away.
If you're not having fun, you're not doing it right!
*****************************************************************
To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.
*****************************************************************
