On Fri, 2002-08-02 at 12:13, [EMAIL PROTECTED] wrote:

> In theory, this is a great idea.  However, keep in mind that:
>       Security =  1/productivity
> In many corporate situations, especially engineering environments, 
> the implementation of a VPN would get in the way of development.

There are some good performance studies for FreeS/WAN and other
implimentations at

I'm not saying that there is *no* overhead, just that in a LAN
environment it is not a major factor. But again, it all comes down to:
What is the company willing to do to protect their data. 

> For instance, my current environment is co-located between the US and 
> Belgium.  The folks in Belgium require direct access to our lab here,
> and vice-versa.  Additionally, both groups require direct access to 
> central corporate servers.  A lot of what's going on requires high 
> performance connectivity with as little latency introduced as 
> possible.  Placing a VPN client on some of these systems would 
> automatically get in the way of a lot of the testing that is done.

You don't need to put a VPN client on the systems in a case like this.
You put a gateway at each end, and authenticate/encrypt/route on the
gateway. The users at either end most likely wouldn't even notice. 

> As a result, there aren't even virus scanners on a lot of the systems 
> in the labs.  And, since the labs need direct access to corporate
> servers, the labs often become breeding grounds for virii.

You can get network virus scanners for routers now.... I don't pretend
to know anything about their usefulness, though. 
> A proposal was made to VPN off all the labs, which would prevent a virus 
> from escaping since the virus couldn't authenticate with the VPN, 
> however, it was determined that there are no VPN servers at this time 
> which will not slow down a GigE connection, which is required for a 
> lot of the stuff going on here.
> (of course, since we only have a 2MB connection to Belgium, I don't 
> see why the GigE thingy is a requirement for *our* situation :)

If you require GigE, but only have a 2MB connection, then security isn't
the problem... *MATH* is!! ;-)

> Also, as Ben pointed out, just because all the traffic between hosts 
> is now encrypted, that doesn't prevent someone from using a box to 
> internally probe your network looking for ways out.
> Once you're in, you're in, and if you can use that internal system to 
> create a conduit you can get into from the outside, all bets are off!

In the scenario that I proposed, the traffic between hosts isn't just 
encrypted, it is also authenticated through a central gateway. If you
put a box on the network, it will hit that gateway and stop, since there
is no way out without authenticating.  

"Tact is just *not* saying true stuff" -- Cordelia Chase

Kenneth E. Lussier
Sr. Systems Administrator
Zuken, USA

To unsubscribe from this list, send mail to [EMAIL PROTECTED]
with the text 'unsubscribe gnhlug' in the message body.

Reply via email to