Hm. Lots of interest in this one. Maybe we should be the firwallsandvpn list... For no other reason than it makes me happy to pontificate, I'll burden you all with my personal take on this stuff. The Win2K VPN solution is a real IPSec VPN and has worked as far as I can test it. Someone suggested that it is lacking some features - I don't believe it is. You can roll out a CA, authenticate users based LDAP, set up a "normal" IPSec tunnel etc etc - all with M$ products. Your main problem with a Windows 2000 VPN solution is that it's much harder and more expensive than one would first think to manage your users certificates (don't even _think_ about pre-shared keys for a large user base), provision the box so that it can deal with many encrypted tunnels, etc etc. Of course you'll have nasty management issues with any large VPN. In addition, the Win2K VPN client is called "Windows 2000 Professional"[1]. This is a problem for many people. If you can't use/afford W2KPro everywhere then you need to get a third party IPSec client or fall back to using PPTP which, frankly, sucks. Someone mentioned that they didn't know of any compromises in the real world - I don't know of one either, but I do know that the crypto is busted (although better now that they can ship it full strength). NAT is a red herring. There is a deep, deep discussion about this in the archives but this is The Delivered Truth - IPSec VPN stuff works with NAT, sometimes. Best to assume it doesn't. Insofar as it won't work it won't work from any vendor. I start with a very low level of trust for any VPN solution that _will_ work easily through NAT. In fact, I start with a pretty low level of trust for most vendor-specific VPN stuff because the snake-oil level is often high. All the people that talk about terminating the VPN in various places - I think you're misguided. The whole point of a VPN is that it gives people all the access that they would have if they were on the trusted LAN. You can't give them that and keep them at arm's length from a security standpoint, much as I'd love to keep all the users away from those nasty, easily broken "applications" and "services". VPNs, like dialin boxes, should terminate in the trusted network. This is why it's so vital to have a) good authentication and b) no VPN endpoint flaws that can lead to compromise. On that topic, though, I think that I, too, would trust a OpenBSD box with some IPSec gateway on it more than a Win2k box. IPSec is a vast, bloated and ugly protocol with endless opportunity for someone to make a mistake. Therefore I mainly mistrust Win2K merely on the strength of it being young. I would be horrified at the idea of using weak auth for a VPN. If you can't use client-side certs then use two-factor auth of another kind (tokens etc etc). Finally - my answer to the question: Don't look at the Windows 2000 cost as simply a license cost. Work out the total cost of implementation / maintenance. I have a feeling that Win2K is not mature enough to be easy to roll out for something large (although all the pieces are definately there) and will therefore be more expensive than it was first assumed. Cheers, [1] Actually any OS that has native/easily added support for IPSec will work, so it's only Windows users that lose. -- Ben Nagy Network Consultant, Volante IT PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
