FYI, I was not the original poster, nor am I looking to currently implement a
VPN solution :)
In a message dated: Tue, 01 Feb 2000 10:10:16 EST
Greg Kettmann said:
>Interoperability in the VPN space is a bit of a misnomer still. It's still a
>bit of the wild wild west with each vendor doing their own thing. The security
>standards are open and published but which one in use is up to each vendor.
I agree, though what I meant was, as you mentioned below, interop with various
clients.
>One of the larger questions is the clients you must support. If it's all
>Windows you have many choices. VPN is built into CheckPoint and I think
>Raptor as well.
>
>I personally do not recommend putting the function on your firewall. Nortel
>has a nice offering but I don't know if they have a Linux client. AT+T has
>an offering where they take care of the whole thing, again I don't know about
>Linux clients.
This is what I meant by interoperability. If you have a solution which does
not work with the clients you need to have, then it's not really a solution.
Nortel's (formerly Bay Network's, formerly New Oak's) solution is okay. I
find it to be quite robust, quite secure, and incredibly easy to configure and
manage. However, the only client they support is Win95. NT does not work,
nor do they support Linux. As a matter of fact, they have been quite emphatic
about *not* supporting Linux or Unix of any kind (I spent 2 days e-mailing the
product manger for this product to no avail :(
>I use Aventail. I know they're working on a Linux client but I haven't seen
>it yet.
>
>The Linux based commercial solutions sound great to me but you're correct that
>they will require a bit more setup (That is they are not a purchased, turn key
>solution). They appeal strongly to me because they will have Linux clients.
Why would a commercial, Linux based solution take longer or require more
setup? I would expect a commercial offering, regardless of the OS it's based
on to require less setup time than a non-commercial, homegrown solution. If
it doesn't, then I'm sending it back and building my own!
>One final thought. You said you were going site to site and not site to
>workstation. In that case you will want a VPN server on each end that will
>talk to each other. This can be done seamlessly to the user but allow secure
>data transport over the net.
Well, technially, I said nothing of the sort, someone else did :)
This can be done, but keep in mind, there is a performance penalty hit for doingthis,
since both the inbound and outbound traffic must be [de,en]crypted at
each end. This can introduce tremendous latency into the connection.
We ran our site in this configuration for almost 3 weeks (until our T1 to
corporate came in). It was managable, though at times it was downright
unbearable. This was not however due strictly to the VPN<->VPN tunnel we were
using, though that was a big part of it (one side or the other was continually
crashing).
--
Seeya,
Paul
----
Doing something stupid always costs less (up front) than doing
something intelligent.
Bean counters are *always* wrong!
A conclusion is simply the place where you got tired of thinking.
If you're not having fun, you're not doing it right!
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
