On Sun, Mar 28, 2010 at 8:11 AM, Michael Richardson <[email protected]> wrote:
> > I'm also one of the maintainers of Openswan. > > CISCO VPN adapters are not IPsec compliant, btw. > The are hacks in Openswan to make it work with "CISCO VPN Adapters" (not > to be confused with CISCO IPsec solutions). > > OpenVPN has the advantage that it can innovate very quickly, since it is > portable open source that runs on multiple platforms. It has the > disadvantage that the group of people who work on it is small, and if > there is a bug, it affects all versions. The openvpn folks have gotten > lots right, but also lots and lots wrong. Also I would probably point out that being non-standards-compliant is both an advantage and a disadvantage. The advantage is that they are not bound specifically to the standards specs. The disadvantage is that they have to re-invent a lot of things themselves. > If openvpn works for someone then great, use it. Sure. > > One of the major challenges of IPsec is that microsoft just hasn't made > it easy, and Apple has been rather "well, it works with CISCO VPN > Adapters, we are done". Speaking as a former Microsoftie, I have often been impressed at how hard Microsoft can make it to do basic things... For example, setting up a printer for "all users" at least as late as XP required hacking the registry. I haven't tried on Vista or Windows 7. However, this affects LedgerSMB because it means that a small business installation of the software on Windows requires registry hacks...... I believe this is a strategy to provide greater lock-in and product sales (want to be able to print from a network service? buy our server software instead!). Microsoft software is furthermore only "easy" to interoperate with other Microsoft software and everything else is system integrator territory. I haven't played around much with Windows and IPSec but I would be honestly surprised if it were easy. > As far as I'm concerned, SSH tunnels (from windows, using passwords), > SSL (HTTPS), IPsec (using PSK), and OpenVPN (often using PSK) are all > pretty much equivalent in security. HTTPS is the simplest to support. Properly configured, I would generally agree with this. The only thing I would add is that I would only put HTTPS in that category for access to LedgerSMB if client-side certificates are verified. HTTPS otherwise is nothing more than an anti-eavesdropping measure and fails to provide the additional level of protection that requiring a pre-shared key in the other options provides. Best Wishes, Chris Travers ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ledger-smb-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
