Are the VPN Alternatives Enterprise Ready? 26
steve asks: "There has been some talk about the newer alternative to true VPN lately. Are products like Netilla or Neoteris enough to replace the typical 'extranet'. most are based on simple SSL technology and somewhat limited in what applications you can run or use them for but they do give a simple web based interface. Has anyone out there played with any of these? Are they truly worth a look yet? Would you be concerned about potential browser issues (security or otherwise) creating a back door on your nice firewall?"
Sounds interesting! (Score:3, Interesting)
So, the very people who should be using it, users out in the field won't because they have been burned before. So, I was recently setting up IMAP/SSL and OWA/SSL access to our email server using stunnel [stunnel.org] as a backup, in case the VPN client doesn't feel like resolving names.
They seem to like this, so I was also looking at using one of the many variants on smb2www [samba.org] over SSL to provide backup access to our NT file servers, but I wanted to limit what servers and shares they could see this way from the outside. If these products can do that, then I might just recommend them for our company!
Balam
Re:Sounds interesting! (Score:2)
Re:Sounds interesting! (Score:1)
Microsoft Networking - It's broke it's broke it's broke it's broke it's broke it's broke it's broke...
We had a similar problem with our two offices and name resolution. We implemented WINS on both sides of the WAN and it still never quite worked right, until we switched everyone over to the new w2k domain that had WINS on both the PDC and BDC, and ran DHCP instead of static IPs. End result, it worked, usualy, and users liked having the new harware to support w2k pro.
Re:Sounds interesting! (Score:2)
The thing that scares me about the Netilla product is the phrase proprietary adaptive Internet protocol (AIP) which can be found on their technology overview page. These both look like very interesting products, but proprietary anything scares me. Because ipsec is an open protocol, I can compare the advantages/disadvantages of using the discontinued 5001, a less-capable 3000 series, or FreeS/WAN, for example. There are also a number of ipsec clients to choose from. What happens if Netilla goes out of business? With no competition, how do I know I'm paying a fair price? Etc.
I haven't been able to find any information about the technology underlying the Neoteris solution.
I guess my basic point is that we've been slowly migrating toward open solutions, where possible. I'd hate to start moving back in the other direction. We willingly paid good money for the convenience that the 5001 offered. I like the idea here, but I really can't see how it's necessary to make something proprietary to sustain a good product.
The primary differentiating factor here seems to be the web based client. Using PFS, 3DES, and proper authentication, there's no need to worry about ipsec security. Ipsec clients come standard w/ Windows 2000 and XP. There are readily available Mac clients as well. I'm also not understanding how, say, browsing SMB shares via a web browser would work. Why not use the highly evolved tools available w/ the OS for doing this?
I could certainly use some more info, but for now, I'm fine w/ ipsec.
Re:Sounds interesting! (Score:1)
Unfortunately, I guess we just bought into IPSec too early, before it had matured. According to various people on the the mailing list there have been few reports of successful interoperability between the VPN5000s and either the native W2K client, Free S/WAN or pretty much anything else that might be useful for a remote and mobile client. :-( (Yes, some point-to-point tunnels seem to work.)
As one of the other respondents mentioned, the primary reason I was looking at providing some access to SMB over WWW is that the early MS clients themselves are broken, due to their reliance on fragile technologies like the NT domain model and WINS. (Look at all the work the samba guys have had to do to replicate obscure undocumented behavior that the clients expect). By comparison IE and HTTPS are extremely robust.
Anyhow, I'm glad that MS has seen the light and AD/Kerberos/LDAP seems far superior, but I just don't see an upgrade in the cards for us due to the heavy licensing costs. (Mainly the cost to upgrade all of our CALs). We also still have to support the many potential 9x/ME clients out there, and can't simply mandate that only remote access from 2K and above will be supported.
As an aside, my own personal backdoor to our network has been to ssh over to to one of the linux boxes and use the command line tools to do whatever I want. I've also successfully used VNC over ssh to access apps on my destop, and provided this capability to others in the company when they have needed it.
Last, but not least (and slightly OT) I just don't "get" how the native 2K IPSec client is supposed to work over dialup to a random ISP POP. There does not seem to be a way to turn on or off the IPSec tunnel in a similar way to the Cisco client behaves. Am I missing something?
Balam
Re:Sounds interesting! (Score:2)
Hmm, which part is proprietary, and which is not? The Cisco VPN clients are proprietary, for example, but the ipsec protocol is not. So I don't feel I'm in much danger of committing to the vagaries of a particular vendor. There must be a java client, if these things word via web browsers. Is that the proprietary piece? I see SSL and certificates mentioned - that part is certainly open.
As for turning the native 2K client on and off - I know that via the mmc ipsec snap-in you can toggle the active state of your defined ipsec policies on and off. Via the Options... dialog, you can limit user actions, and then save the whole thing to the desktop. Not quite as simple as the Cisco client, but not too awful. I've been dealing with the Cisco clients myself, so I'm still figuring this out myself. It's something I've started looking at though, due to the 5001 being discontinued and because of our desire to have some form of redundancy in place. FreeS/WAN on a couple of boxes costs a lot less than a couple of (discontinued/lacking-clients) Cisco boxes. Not sure where we're headed with this yet, though...
Re:Sounds interesting! (Score:2)
Re:Sounds interesting! (Score:2)
Re:Sounds interesting! (Score:2)
anyway
cisco.com -> software -> VPN -> 3000 : Clients
(require cco login and des export authorization)
if you want, I can send it to you.
dago158 at advalvas dot be
other software for macos9 : netlock.com
has anyone ever used Xserver for this? (Score:1, Offtopic)
Useful Windows/Linux VPN link (Score:3, Informative)
We've been using a Win2K server as our VPN server up til now. It works well enough for the 3 to 4 people who use it regularly, plus my boss and myself. We've had some problems with DNS though. Sometimes when someone VPNs in it causes the server to resolve to the VPN client's IP, even though the DNS server is configured otherwise. Go figure...
mod parent up! (Score:1)
I was desperately looking for something like this a few months ago and only found pages describing the converse, i.e. how to connect FreeS/WAN to a W2K Server VPN.
Balam
FreeBSD MPD-Netgraph (Score:2, Informative)
VTun, PPTP, Free/SWAN (Score:2, Interesting)
Enterprise-ready? Well, i wouldn't know about that, but i did run our companies (40+ person) LAN over a VTun tunnel for 2 months without a problem, where all the servers stayed at one location, and all the clients were at another premise. All connectivity, including internet traffic went over the VTun link.
For Win2K-based road-warrior type applications, i use PPTP with MS-CHAP2 and MPPE extensions, which works well, though Windows Networking doesn't work so well over multiple subnets.
I haven't used this enough to really comment on it's stability/performance
I have Free/SWAN IPSec compiled and ready to test, but it seems like a bit of a nightmare to set up.
It has easily the most confusing documentation and configuration file layout of any VPN-type product i have tried.
Personally, i use VTun between my firewalls at home and work if i need transparent VPN, though ppp-over-ssh and X-over-ssh suffices 98% of the time.
Re:VTun, PPTP, Free/SWAN (Score:2, Informative)
/Pedro
Re:VTun, PPTP, Free/SWAN (Score:1, Informative)
In the mailing lists, it is revealed that no, it doesn't actually work with bridging.
I wasted so many hours trying to get f*cking CIPE to work before switching to VTun...If you don't need bridging though, yeah it works well.
Re:VTun, PPTP, Free/SWAN (Score:3, Insightful)
It has easily the most confusing documentation and configuration file layout of any VPN-type product i have tried.
Really? I found FreeS/WAN's docs to be amazingly helpful. The config file is certainly a bit different from some of the others out there, but it does work well.
In general IPsec is a great tool for creating VPNs, and since more and more operating systems are including it, it allows for a high level of interoperability (Win2k, Linux, and *BSD, and I think Solaris 8 all include it). The FreeS/WAN people have lots of interop documentation on their site, and as more is written a lot of the current voodoo will be eliminated.
I have recently been doing some interop testing of x.509 certificate-based IPsec authentication between Linux and the KAME implementation (NetBSD, FreeBSD, BDSI), and am writing a document describing the process right now (available at http://web.morgul.net/~frodo/docs/kame+freeswan_in terop.html [morgul.net], though it's not done yet). Certificate-based authentication is great because it eliminates the key distribution problem and makes large-scale deployment a possibility.
noah