Re: automated site to site vpn recommendations

[Tim Raphael]

There is a downside to subscription pricing for the vendor: they don't get the 
instant cashflow they're used to. I know Cisco seems to be taking a tactic 
where only some product lines use subscriptions and the others are on a typical 
enterprise 3-5 year replacements cycle to provide Cisco with the  large cash 
injections upon upgrade.

Tim 

> On 30 Jun 2016, at 7:00 AM, Seth Mattinen  wrote:
> 
>> On 6/29/16 15:33, Eric Kuhnke wrote:
>> My biggest issue with Meraki is the fundamentally flawed business model,
>> biased in favor of vendor lock in and endlessly recurring payments to the
>> equipment vendor rather than the ISP or enterprise end user.
>> 
>> You should not have to pay a yearly subscription fee to keep your in-house
>> 802.11(abgn/ac) wifi access points operating. The very idea that the
>> equipment you purchased which worked flawlessly on day one will stop
>> working not because it's broken, or obsolete, but because your
>> *subscription* expired...
> 
> 
> I'm sure most hardware makers would love to lock in a revenue stream of "keep 
> me working" subscriptions if they could get away with it. From the company's 
> perspective what's not to love about that kind of guaranteed revenue?
> 
> I often wonder if Microsoft will someday make Office365 the only way to get 
> Office, which if you don't maintain a subscription your locally installed 
> copy of Word will cease to function.
> 
> ~Seth

Re: automated site to site vpn recommendations

[Karl Auer]

On Wed, 2016-06-29 at 16:00 -0700, Seth Mattinen wrote:
> I often wonder if Microsoft will someday make Office365 the only way
> to get Office, which if you don't maintain a subscription your 
> locally installed copy of Word will cease to function.

I live for that day.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: automated site to site vpn recommendations

[Seth Mattinen]

On 6/29/16 15:33, Eric Kuhnke wrote:

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...



I'm sure most hardware makers would love to lock in a revenue stream of 
"keep me working" subscriptions if they could get away with it. From the 
company's perspective what's not to love about that kind of guaranteed 
revenue?


I often wonder if Microsoft will someday make Office365 the only way to 
get Office, which if you don't maintain a subscription your locally 
installed copy of Word will cease to function.


~Seth

Re: automated site to site vpn recommendations

[Spencer Ryan]

I treat Meraki like SmartNET. The subscription comes with lifetime support
(TAC + Warranty), you do have support on your production network gear don't
you? It's not like they trick you going into it either. I for one am a huge
fan of the simplicity, it just works.

Disclaimer: We use them. ~35 access points all around the world.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Wed, Jun 29, 2016 at 6:33 PM, Eric Kuhnke  wrote:

> My biggest issue with Meraki is the fundamentally flawed business model,
> biased in favor of vendor lock in and endlessly recurring payments to the
> equipment vendor rather than the ISP or enterprise end user.
>
> You should not have to pay a yearly subscription fee to keep your in-house
> 802.11(abgn/ac) wifi access points operating. The very idea that the
> equipment you purchased which worked flawlessly on day one will stop
> working not because it's broken, or obsolete, but because your
> *subscription* expired...
>
> If you want wifi with a centralized controller there's lots of ways to do
> it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
> segment as the Unifis, or with its own management vlan), or with Unifi APs
> programmed to find a controller by hostname/IP address (L3).
>
>
>
> On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash  wrote:
>
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to
> leave
> > their desk.  I have no reason to believe that they are malicious, or in
> the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on
> performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote
> VPN
> > > tunnel control), and we've found they punch above their weight and
> their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be
> continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet,
> USB
> > >> for a wireless dongle or storage, and has a highly-scriptable
> operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >>
> ~~~
> > >> Karl Auer (ka...@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
>

Re: automated site to site vpn recommendations

[Eric Kuhnke]

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...

If you want wifi with a centralized controller there's lots of ways to do
it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
segment as the Unifis, or with its own management vlan), or with Unifi APs
programmed to find a controller by hostname/IP address (L3).



On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash  wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
> paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~
> >> Karl Auer (ka...@biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>

Re: automated site to site vpn recommendations

[Greg Sowell]

Lorenzo did a MUM presentation(https://www.youtube.com/watch?v=VeZetH9uX_Y)
on how road warriors can can connect with a Mikrotik to automatically
configure VPN.  Pretty novel idea using inexpensive hardware.  It may not
be as user friendly as you need, though.

On Tue, Jun 28, 2016 at 11:21 AM, Richard Greasley 
wrote:

> Another option is Checkpoint Edge devices.
> We use them worldwide with little to no problems.
> They're centrally managed and support central logging which is a plus when
> trying to diagnose issues.
> They support dynamic IP addresses as well, so just plug it in and you
> should be good to go.
> Not the cheapest solution, but for sure they get the job done.
>
> Regards,
> Richard.
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
> Sent: Monday, June 27, 2016 6:28 PM
> To: Karl Auer
> Cc: nanog@nanog.org
> Subject: Re: automated site to site vpn recommendations
>
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person.  They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
>
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
>
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go.  Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear.  Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
>
> Dan
>
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
>
> > On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > > In some cases...
> >
> > The words "in some cases" are a problem with any supposedly plug and
> > play solution.
> >
> > > We really could use a simple solution that you
> > > just flip on, it calls home, and works...
> >
> > ...but still requiring someone to enter credentials of some sort,
> > right? Otherwise you have a device wandering about that provides look
> > -mum-no-hands access to your corporate network.
> >
> > MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > for a wireless dongle or storage, and has a highly-scriptable operating
> > system. Not a bad platform.
> >
> > Regards, K.
> >
> > --
> > ~~~
> > Karl Auer (ka...@biplane.com.au)
> > http://www.biplane.com.au/kauer
> > http://twitter.com/kauer389
> >
> > GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>
>
>
>


-- 

GregSowell.com
TheBrothersWISP.com

RE: automated site to site vpn recommendations

[c b]

Guys, thanks for all the responses. Thanks to everyone's feedback, we have a 
number of options that were not on the original list and that is what I was 
hoping for. Now it's a matter of comparing 
cost/learning-curve/support-challenge/compatibility with tools/monitoring, 
etc...
Thanks again.

> From: r...@tehorange.com
> Date: Wed, 29 Jun 2016 09:03:06 -0400
> Subject: Re: automated site to site vpn recommendations
> To: p...@nashnetworks.ca
> CC: nanog@nanog.org
> 
> For several of our clients, we use Sophos UTMs coupled with their RED
> units.  Once registered with the UTM, the RED unit auto creates an SSL
> based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
> it's config when it boots. It's similar to the function of Meraki without
> the direct cloud management portion, though the config profile does get
> pushed to a section of Sophos' cloud.
> 
> -Rich
> 
> On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash  wrote:
> 
> > My biggest issue with Meraki is that their tech staff can run tcpdump on
> > the wired or wireless interface of your Meraki box without having to leave
> > their desk.  I have no reason to believe that they are malicious, or in the
> > pay of the NSA, but I am too paranoid to allow their equipment anywhere
> > near me.
> >
> > Yes, they work well and the cloud control panel makes remote support a
> > breeze; you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel that
> > > they are the most capable platform, they're expensive, and don't always
> > > present you with all the information you'd need for troubleshooting.
> > > However, the VPN offers great dynamic tunneling, instant-on performance,
> > > and are by far the simplest platform to offer a field person.  They're
> > also
> > > tenacious - I've had them connect to the cloud management platform and
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint, they will offer features that will impress
> > for
> > > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > > tunnel control), and we've found they punch above their weight and their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases,
> > > sometimes with 150 users on the LAN. If your routing is simple, you can
> > > define your security policies, and don't need crazy throughput on your
> > VPN,
> > > Meraki is the way to go.  Be careful though: they have to be continually
> > > licensed to work and can get pretty expensive if you go for the higher
> > end
> > > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> > >
> > >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on, it calls home, and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort,
> > >> right? Otherwise you have a device wandering about that provides look
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > >> for a wireless dongle or storage, and has a highly-scriptable operating
> > >> system. Not a bad platform.
> > >>
> > >> Regards, K.
> > >>
> > >> --
> > >> ~~~
> > >> Karl Auer (ka...@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
  

Re: automated site to site vpn recommendations

[Rich Testani]

For several of our clients, we use Sophos UTMs coupled with their RED
units.  Once registered with the UTM, the RED unit auto creates an SSL
based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
it's config when it boots. It's similar to the function of Meraki without
the direct cloud management portion, though the config profile does get
pushed to a section of Sophos' cloud.

-Rich

On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash  wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
> paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~
> >> Karl Auer (ka...@biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>

Re: automated site to site vpn recommendations

[Shawn L]

I believe they fixed this -- when I've spoken to tech support recently, I had 
to give them a tech support key so that they could access the devices I had 
questions about.
 


-Original Message-
From: "Paul Nash" 
Sent: Wednesday, June 29, 2016 8:55am
To: "Untitled 3" 
Subject: Re: automated site to site vpn recommendations



My biggest issue with Meraki is that their tech staff can run tcpdump on the 
wired or wireless interface of your Meraki box without having to leave their 
desk. I have no reason to believe that they are malicious, or in the pay of the 
NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; 
you have to decide how you feel about the insecurity.

 paul

> On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> 
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person. They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
> 
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
> 
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go. Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear. Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
> 
> Dan
> 
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> 
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>> 
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>> 
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>> 
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>> 
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>> 
>> Regards, K.
>> 
>> --
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> 
>> 
>> 
>> 

Re: automated site to site vpn recommendations

[Paul Nash]

My biggest issue with Meraki is that their tech staff can run tcpdump on the 
wired or wireless interface of your Meraki box without having to leave their 
desk.  I have no reason to believe that they are malicious, or in the pay of 
the NSA, but I am too paranoid to allow their equipment anywhere near me.

Yes, they work well and the cloud control panel makes remote support a breeze; 
you have to decide how you feel about the insecurity.

paul

> On Jun 27, 2016, at 6:28 PM, Dan Stralka  wrote:
> 
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person.  They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
> 
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
> 
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go.  Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear.  Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
> 
> Dan
> 
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer"  wrote:
> 
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>> 
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>> 
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>> 
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>> 
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>> 
>> Regards, K.
>> 
>> --
>> ~~~
>> Karl Auer (ka...@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>> 
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>> 
>> 
>> 
>> 



smime.p7s
Description: S/MIME cryptographic signature