Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Businesses The Internet

Subcontracting VPN Solutions? 36

Posted by Cliff from the someone-reliable-to-handle-it dept.
musikit asks: "My company has recently decided that they have too many sites to have people e-mail back and forth requests for forms, and documentation. They would like to find a subcontractor that would set up a site-to-site VPN connect which would allow our system to do all the usual tasks (http, https, webdav, samba, imap, pop3, etc). I have been looking all over for a subcontractor and every search seems to point me to learn more about how VPN technologies work. Has the Slashdot crowd had any experience in subcontracting out a VPN solution? Would anyone care to recommend a starting point for us to find/compare/contrast different VPN contractors?"
This discussion has been archived. No new comments can be posted.

Subcontracting VPN Solutions? More

Subcontracting VPN Solutions?

Comments Filter:

  • it's easy... (Score:3, Informative)

    by Kz ( 4332 ) on Saturday November 27, 2004 @09:54AM (#10930444) Homepage
    I do it!

    A friend and i have been successfully selling small VPN boxes. :-)

    Here in Peru, most businesses are using ADSL, only to find that e-mailing files back and forth between different offices isn't any good. We then sell them a box, (internally run a very stripped down linux with OpenVPN) install one on each office, and voila! a WAN!

  • Windows Server (Score:2, Informative)

    by Dancin_Santa ( 265275 )
    The Windows Server system allows for this type of thing with little more than a click of a checkbox. Your local Windows admin probably already knows about this, and just needs the go-ahead to put it into practice.

    An office that I was in charge of needed exactly this kind of thing and the Windows solution was the most straightforward of all the other choices. There are a lot of third party possibilities, but setting people up with an RDP connection to the main server (user-restricted, of course) was the b

  • Don't do it, buy Netscreens (Score:5, Informative)

    by Gothmolly ( 148874 ) on Saturday November 27, 2004 @10:10AM (#10930510)
    I work for a Large US Bank, and our VPN is outsourced to AT&T, who subcontracts it to some (apparently) 5 man shop in Middle America somewhere. It sucks. It blows. I can't articulate how lame these people are. Problems? Sorry, we're a time zone away, so we're not here. Need something changed? Well, we'll TRY and get in remotely, but in case, can you have someone onsite reboot our box?
    Buy a bunch of Netscreen firewalls. Get a permanent IP connection. Set up IPSEC tunnels; click, enter preshared key, click, click, done. Profit. It just works.
    • I second this statement Netscreens are :
      - easy to setup and you can get great support contrancts where they'll walk you thru it IF you can't set it up yourself.
      - easy to monitor , (daily email report of important stuff / syslog)
      - They just keep working and working and working

      Now one thing I've found the netscreens do not handle well is heat. If you put one in a closet put a fan on it.

    • Re: (Score:3, Informative)

      by account_deleted ( 4530225 )
      Comment removed based on user account deletion
    • Totally agree on the Netscreens - started putting them into my company 4 yrs ago & there are no signs of stopping. As the parent poster says, 2 static IPs is all you need (one for the tunnel itself & 1 for external management). You CAN do it with one central system on static IP & multiple remote sites on dynamic IP, but that works for "hub-&-spoke" & we really need fully meshed.
      The biggest problem I have is that we've got to the point where the number of devices is becoming unmanagea

  • Use m0n0wall with an embedded computer. (Score:5, Informative)

    by JonnyRo88 ( 639703 ) on Saturday November 27, 2004 @10:15AM (#10930527) Homepage Journal
    You really dont need to subcontract this out. Just get m0n0wall [m0n0.ch]. It is a free embedded firewall package that runs beautifully, and supports all the VPN stuff you could ever want.

    It is absolutely perfect for site to site VPN's. All you need is a static IP address for each endpoint. I run ours on a Soekris [soekris.com] net4501 embedded computer. Total cost of computer + flash card + hardware encryption accelerator chip = $300. This is cheap for what you get.

    • Or... (Score:3, Insightful)

      by brunes69 ( 86786 )
      .. you could just buy a Linksys WRT54G, flash the firmware, and have a VPN solution for under 60 bucks USD (oh, plus a bonus WAP).

      • Re:Or... (Score:3, Informative)

        by Tux2000 ( 523259 )
        [...] buy a Linksys WRT54G, flash the firmware, and have a VPN solution [...] plus a bonus WAP.

        Hmm, if someone want to protect his data in his network(s), he surely does not want a WAP in that network. Or if he wants a WAP, he has not yet been properly educated. (Well, there may be some reason to run a VPN over WLAN, but you do not want unprotected WLAN.)

        Tux2000

        • Eh???? (Score:3, Insightful)

          by brunes69 ( 86786 )
          For one, the VPN would not run over the WLAN, it would run over the hard links.

          For two, you could easily disable the WLAN interface if you do not have the knowhow on how to set up a DMZ with it.

      • Re:Or... (Score:3, Insightful)

        by tigersha ( 151319 )
        Yeah, and a boatload of work and the fact that you have to open en box and mess around with a screwdriver to short out pins when you cock up the flash and and and. Been there done that. The linksys is great but its not the nirvana everyone says. The one thing that would make is totally loco would be to replace the on-board flash with a removable CompactFlash socket. Soekris and WRAP both have this. It really makes it better to run in an emergency.

        And a Serial port for emergencies.

    • Re:Use m0n0wall with an embedded computer. (Score:4, Interesting)

      by fuzzybunny ( 112938 ) on Saturday November 27, 2004 @11:07AM (#10930779) Homepage Journal
      M0n0wall is great. Hardware-wise I would strongly recommend a PCEngines [pcengines.ch] WRAP board (WRAP 1D-2) instead of the 4501. We're deploying these on a grand scale, and they are amazingly robust (and cheap--$150-ish.)

      As for the M0n0 VPN component, you don't even need static IPs on each end (just on the central location assuming you have a star configuration), as long as it's the branch offices initiating the connection.
      • What are you using for the remote ipsec identifier on the main office setup? 0.0.0.0? I know you have to put something here.
        • Use what he calls an "FQDN", i.e. john.doe@foo.com.

          It can be any value you want (doesn't have to have any relationship to real domains, it's just a session identifier); use the undocumented link https://your.m0n0.box/status.php (at least I hope you're using https) to check on racoon.conf. You need to make sure your local identifier/remote identifier are in sync.

          Feel free to drop me a message if you can't get it working, I'm a bit tired and drunk right now.
      • Have you ever made a VPN where a mobile client connects to Monowall? ITs easy to let it connect but how do you route? I need the remote client to have one ip address on the inside. With SSH sentinel would be hjust great.

  • http://www.gls.com/

    They can provide support for the connection and the router, and open tickets with the LEC if the link goes down.

  • Managed VPNs have their advantages (Score:4, Informative)

    by thefoobar ( 131715 ) on Saturday November 27, 2004 @11:25AM (#10930872) Homepage
    At my former company we subcontracted a managed VPN service through Qwest, between our California stores and headquarters in Seattle.

    We found the Qwest solution to be advantageous because though the actual connection itself was slightly more expensive than a full T1 to the 'net (and significantly less expensive than a point-to-point to California), we had a full SLA on the service itself. We had a guarantee of no greater than 50ms latency between sites, a full bandwidth guarantee, etc.

    The network itself was fully on Qwest's private OC-192 backbone, and we had the option of bringing in Internet access at whichever locations we would like, and for those connections Qwest would provide firewalling with their Nortel Shasta boxes.

    Now that I have left that company I am even happier that I put in those connections, as no one has to learn anything new about the VPN, such as how to configure it, etc. We provided our own Ciscos.

    I did try (for a few short weeks as a demo) AuBeta's service, which they claim to be a private ATM network. It was such a miserable failure, and their response time was abysmal. I would never recommend their service. Come to find out later, though they bash VPNs as being worthless compared to their ATM solution, they are actually using VPNs as part of the backbone of their network. This from the guy who designed the thing.

    Hope this helps.
  • Sprint has a network [sprint.com] based VPN service.
  • http://www.pillarsystems.com/ They are out of Vienna, VA. (shameless plug for my little brother's company, but I wouldn't recommend them if they were not GOOD)
  • This service seems to be the darling of fortune 50's .. probably because it used to be IBM Global Services.

    The problem is its basically IPSec with some propetary crap thrown in just to piss us off.

    It works in Windows only (of course), and they refuse to even discuss supporting other users.

    FOR GOD SAKES whatever you do make sure it will support more than just Windows users.

    What are these companies thinking going with this propetary crap. I mean who is most likely to be the heavy users of the VPN? The I

  • DIY (Score:3, Informative)

    by peacefinder ( 469349 ) <alan.dewitt@gmAA ... inus threevowels> on Saturday November 27, 2004 @01:41PM (#10931618) Journal
    It's not that hard to do, if you're willing to read a bunch of manpages.

    Get a fixed IP DSL and a Soekris net4801 [soekris.com] for each site. Add a laptop hard drive or compact flash with OpenBSD [openbsd.org] on it. Read the man pages [openbsd.org] for "vpn" and "pf". Implement as appropriate to your site.

    Hardware cost is under $500 per site. Ongoing cost is your local DSL price. Add your labor, including the time spent learning about OpenBSD and the cost of maintaining a free OS over time.

    If this cost doesn't come in under 75% of the low bid from any three VPN vendors, I'll buy a straw hat and try to eat it. :-)

    • Re:DIY (Score:3, Insightful)

      by cjsnell ( 5825 )

      Or, save yourself the headache and use OpenVPN under OpenBSD. It has no problem at all with dynamic IP clients and keeps the VPN running smoothly when the IP address changes. It uses OpenSSL, so the crypto is legit and can be accelerated with one of Soekris's HiFn cards.
  • Contact, VistaWiz [vistawiz.com], a provider of managed security solutions including site-to-site VPN.

  • Cisco PIX for Small Businesses (Score:4, Informative)

    by mr. mulder ( 204001 ) on Saturday November 27, 2004 @02:46PM (#10932048)
    If you're a small business, and don't want to be hassled with messing around with the internals for your firewall/VPN device, consider the following:

    1. Purchase a Cisco PIX firewall for both ends of your VPN.

    2. Purchase a SmartNET 1-year subscription with one of the firewalls.

    3. When you get them inplace behind your T-1, DSL, Cable modems, put a call into Cisco and use your SmartNET support contract to have the Cisco technicians configure your VPN.

    The Cisco SmartNET team works 24x7 in addition to eating, breating, and living PIX configuration.

    They can also answer any question you have about VPN and security.

    As a small business network admin for approx. 50 people, including several remote offices, the Cisco PIX line of firewall/VPN devices have been a lifesaver. Better yet, as you add on small home offices, you can puchase the Linksys (a Cisco subsidiary) BEFSX41 series firewalls to connect home users to your VPN very easily.

    Cisco also provides a software VPN client that works with the PIX line of firewall/VPN endpoint devices. We have the VPN software client deployed across our army of laptops. If a laptop user is on the road in a hotel or at home, they simply dialout or connect tot he internet with a DSL line. They then tell their software VPN client to connect. 5 seconds later, once they're connected, they have access to our entire corporate intranet.

    The final selling points for the PIX firewall/VPN endpoint are the cost and ability to fine-tune:

    The cost is relatively cheap. For under $1K, you can equip multiple offices with a VPN connection. At the same time, you're protecting your offices with an enterprise-level firewall. Configuration of the firewall can be very easy via a web interface, but you can also restrict particular IP ranges from using certain ports, protocols, or just plain restrict them from access to anywhere in your entire corporation. The possibilities are endless.

    Hope this helps a bit.
  • When we had to do the very thing you did, I ended up hiring Box Toxen, of Fly By Day Consulting [cavu.com]; and the author of Real World Linux Security [slashdot.org].

    He's one of the original authors of Berkely Unix, and he's extremely knowledgeable in *nix Security.

    He did a great job for us and his price was very reasonable. Furthermore, he was available almost 24-7 to field my tech calls during the touchy installation - we pulled it off without a hitch.

    If you hire him, tell him that Chris Bergeron referred you. He'll know who
  • It's hard to believe that anyone would consider contracting out such a trivial task.
    Just use iptables and ssh, and route the data over an SSL link. Then if something goes wrong you don't have to deal with a vendor, and can just fix it immediately. Voila, reliability, savings, productivity.

  • Netscreen and Snapgear... (Score:4, Informative)

    by A Naughty Moose ( 672032 ) on Saturday November 27, 2004 @08:35PM (#10934160)
    One solution that I've used that works well is to setup a netscreen [http] box at the main office, and then use a snapgear [cyberguard.com] at the remote sites. Both the netscreen and the snapgear run Linux underneath, so technically they are both as capable, but the netscreen tends to be versital (and slightly more complex to set up) then the snapgear. Making it the more logical choice for the main office.

    I haven't tried this, but Linksys does make a VPN router [linksys.com] or you could build your own using a Soekris Net4511 [soekris.com] and M0n0wall [m0n0.ch]. M0n0wall is a FreeBSD based VPN configured via the web with an interface that is very similiar to a SnapGear. (The netscreen is also setup via the web, but significantly different then the other two) If you used one, you'll feel right at home with the other (I have no idea if this is intentional or not. And the screens are not layed out the same, they just are catagorized the same, with a similiar layout)

    Anyway, all the above solutions will let you set up a VPN, either with IPSEC (complete with your choice of SHA, DES, 3DES etc encryption), or the older, less secure Microsoft Point-to-Point tunneling protocal (which I can't think of the proper name of right off hand, heck maybe P2PTP was it), and once set up they run pretty much error and maintence free (Except maybe the linksys, I've used the others though, and they all work as advertised.)

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close