Subcontracting VPN Solutions? 36
musikit asks: "My company has recently decided that they have too many sites to have people e-mail back and forth requests for forms, and documentation. They would like to find a subcontractor that would set up a site-to-site VPN connect which would allow our system to do all the usual tasks (http, https, webdav, samba, imap, pop3, etc). I have been looking all over for a subcontractor and every search seems to point me to learn more about how VPN technologies work. Has the Slashdot crowd had any experience in subcontracting out a VPN solution? Would anyone care to recommend a starting point for us to find/compare/contrast different VPN contractors?"
Hey Microsoft has something useful for once! (Score:1, Informative)
it's easy... (Score:3, Informative)
A friend and i have been successfully selling small VPN boxes.
Here in Peru, most businesses are using ADSL, only to find that e-mailing files back and forth between different offices isn't any good. We then sell them a box, (internally run a very stripped down linux with OpenVPN) install one on each office, and voila! a WAN!
Re:it's easy... (Score:2, Informative)
Re:it's easy... (Score:1)
Re:it's easy... (Score:2)
Post your URL man! You might get a business trip out of it.
Re:it's easy... (Score:2)
Would you be willing to email me? I have something I'd like to talk about, and you don't seem to have any contact info up on
redb3ard (at) cavtel (dot) net
Windows Server (Score:2, Informative)
An office that I was in charge of needed exactly this kind of thing and the Windows solution was the most straightforward of all the other choices. There are a lot of third party possibilities, but setting people up with an RDP connection to the main server (user-restricted, of course) was the b
Don't do it, buy Netscreens (Score:5, Informative)
Buy a bunch of Netscreen firewalls. Get a permanent IP connection. Set up IPSEC tunnels; click, enter preshared key, click, click, done. Profit. It just works.
Re:Don't do it, buy Netscreens (Score:1)
- easy to setup and you can get great support contrancts where they'll walk you thru it IF you can't set it up yourself.
- easy to monitor , (daily email report of important stuff / syslog)
- They just keep working and working and working
Now one thing I've found the netscreens do not handle well is heat. If you put one in a closet put a fan on it.
Re: (Score:3, Informative)
Re:Don't do it, buy Netscreens (Score:3, Interesting)
The biggest problem I have is that we've got to the point where the number of devices is becoming unmanagea
Use m0n0wall with an embedded computer. (Score:5, Informative)
It is absolutely perfect for site to site VPN's. All you need is a static IP address for each endpoint. I run ours on a Soekris [soekris.com] net4501 embedded computer. Total cost of computer + flash card + hardware encryption accelerator chip = $300. This is cheap for what you get.
Or... (Score:3, Insightful)
Re:Or... (Score:3, Informative)
Hmm, if someone want to protect his data in his network(s), he surely does not want a WAP in that network. Or if he wants a WAP, he has not yet been properly educated. (Well, there may be some reason to run a VPN over WLAN, but you do not want unprotected WLAN.)
Tux2000
Eh???? (Score:3, Insightful)
For two, you could easily disable the WLAN interface if you do not have the knowhow on how to set up a DMZ with it.
Re:Or... (Score:3, Insightful)
And a Serial port for emergencies.
Re:Use m0n0wall with an embedded computer. (Score:4, Interesting)
As for the M0n0 VPN component, you don't even need static IPs on each end (just on the central location assuming you have a star configuration), as long as it's the branch offices initiating the connection.
Re:Use m0n0wall with an embedded computer. (Score:2)
Re:Use m0n0wall with an embedded computer. (Score:2)
It can be any value you want (doesn't have to have any relationship to real domains, it's just a session identifier); use the undocumented link https://your.m0n0.box/status.php (at least I hope you're using https) to check on racoon.conf. You need to make sure your local identifier/remote identifier are in sync.
Feel free to drop me a message if you can't get it working, I'm a bit tired and drunk right now.
Re:Use m0n0wall with an embedded computer. (Score:2)
Vendor (Score:1)
They can provide support for the connection and the router, and open tickets with the LEC if the link goes down.
Managed VPNs have their advantages (Score:4, Informative)
We found the Qwest solution to be advantageous because though the actual connection itself was slightly more expensive than a full T1 to the 'net (and significantly less expensive than a point-to-point to California), we had a full SLA on the service itself. We had a guarantee of no greater than 50ms latency between sites, a full bandwidth guarantee, etc.
The network itself was fully on Qwest's private OC-192 backbone, and we had the option of bringing in Internet access at whichever locations we would like, and for those connections Qwest would provide firewalling with their Nortel Shasta boxes.
Now that I have left that company I am even happier that I put in those connections, as no one has to learn anything new about the VPN, such as how to configure it, etc. We provided our own Ciscos.
I did try (for a few short weeks as a demo) AuBeta's service, which they claim to be a private ATM network. It was such a miserable failure, and their response time was abysmal. I would never recommend their service. Come to find out later, though they bash VPNs as being worthless compared to their ATM solution, they are actually using VPNs as part of the backbone of their network. This from the guy who designed the thing.
Hope this helps.
Network based VPNs (Score:1)
These guys can help you! (Score:1)
Whatever you do DONT USE AT&T GLOBAL! (Score:1)
The problem is its basically IPSec with some propetary crap thrown in just to piss us off.
It works in Windows only (of course), and they refuse to even discuss supporting other users.
FOR GOD SAKES whatever you do make sure it will support more than just Windows users.
What are these companies thinking going with this propetary crap. I mean who is most likely to be the heavy users of the VPN? The I
DIY (Score:3, Informative)
Get a fixed IP DSL and a Soekris net4801 [soekris.com] for each site. Add a laptop hard drive or compact flash with OpenBSD [openbsd.org] on it. Read the man pages [openbsd.org] for "vpn" and "pf". Implement as appropriate to your site.
Hardware cost is under $500 per site. Ongoing cost is your local DSL price. Add your labor, including the time spent learning about OpenBSD and the cost of maintaining a free OS over time.
If this cost doesn't come in under 75% of the low bid from any three VPN vendors, I'll buy a straw hat and try to eat it.
Re:DIY (Score:3, Insightful)
Or, save yourself the headache and use OpenVPN under OpenBSD. It has no problem at all with dynamic IP clients and keeps the VPN running smoothly when the IP address changes. It uses OpenSSL, so the crypto is legit and can be accelerated with one of Soekris's HiFn cards.
VistaWiz (Score:2)
Cisco PIX for Small Businesses (Score:4, Informative)
1. Purchase a Cisco PIX firewall for both ends of your VPN.
2. Purchase a SmartNET 1-year subscription with one of the firewalls.
3. When you get them inplace behind your T-1, DSL, Cable modems, put a call into Cisco and use your SmartNET support contract to have the Cisco technicians configure your VPN.
The Cisco SmartNET team works 24x7 in addition to eating, breating, and living PIX configuration.
They can also answer any question you have about VPN and security.
As a small business network admin for approx. 50 people, including several remote offices, the Cisco PIX line of firewall/VPN devices have been a lifesaver. Better yet, as you add on small home offices, you can puchase the Linksys (a Cisco subsidiary) BEFSX41 series firewalls to connect home users to your VPN very easily.
Cisco also provides a software VPN client that works with the PIX line of firewall/VPN endpoint devices. We have the VPN software client deployed across our army of laptops. If a laptop user is on the road in a hotel or at home, they simply dialout or connect tot he internet with a DSL line. They then tell their software VPN client to connect. 5 seconds later, once they're connected, they have access to our entire corporate intranet.
The final selling points for the PIX firewall/VPN endpoint are the cost and ability to fine-tune:
The cost is relatively cheap. For under $1K, you can equip multiple offices with a VPN connection. At the same time, you're protecting your offices with an enterprise-level firewall. Configuration of the firewall can be very easy via a web interface, but you can also restrict particular IP ranges from using certain ports, protocols, or just plain restrict them from access to anywhere in your entire corporation. The possibilities are endless.
Hope this helps a bit.
Hire Box Toxen... (Score:2)
He's one of the original authors of Berkely Unix, and he's extremely knowledgeable in *nix Security.
He did a great job for us and his price was very reasonable. Furthermore, he was available almost 24-7 to field my tech calls during the touchy installation - we pulled it off without a hitch.
If you hire him, tell him that Chris Bergeron referred you. He'll know who
Puzzling (Score:2)
Just use iptables and ssh, and route the data over an SSL link. Then if something goes wrong you don't have to deal with a vendor, and can just fix it immediately. Voila, reliability, savings, productivity.
Re:Puzzling (Score:1)
You're forgetting the most important part: blame.
Netscreen and Snapgear... (Score:4, Informative)
I haven't tried this, but Linksys does make a VPN router [linksys.com] or you could build your own using a Soekris Net4511 [soekris.com] and M0n0wall [m0n0.ch]. M0n0wall is a FreeBSD based VPN configured via the web with an interface that is very similiar to a SnapGear. (The netscreen is also setup via the web, but significantly different then the other two) If you used one, you'll feel right at home with the other (I have no idea if this is intentional or not. And the screens are not layed out the same, they just are catagorized the same, with a similiar layout)
Anyway, all the above solutions will let you set up a VPN, either with IPSEC (complete with your choice of SHA, DES, 3DES etc encryption), or the older, less secure Microsoft Point-to-Point tunneling protocal (which I can't think of the proper name of right off hand, heck maybe P2PTP was it), and once set up they run pretty much error and maintence free (Except maybe the linksys, I've used the others though, and they all work as advertised.)