ATM and VPN's

Kent Dallas kdallas at INTELISPAN.NET
Thu Mar 30 16:37:00 EST 2000 

Todd,

Thanks for the comments.

While you have pointed out, as others have privately, that the major cost is
in "commodity" hardware and the increased processor requirements, there are
other costs to recognize as well.

How much does it costs to support and maintain?  Your tastes are for Open
Source Unix with firewall functionality.  Do you trust a kid just out of
school making $40K to configure it properly?  How much is the human cost to
properly maintain such system, especially in a large and dynamic
environment.  How much to recruit and retain those individuals?

How expensive is support on the Open Source software?  Free, right?  If you
have the developer talent in house to code your own solutions, but I doubt
you consider his/her time free.

How about key management?  Do you use a PKI?  How expensive is the PKI?

And most experts recommend that you have a box dedicated to VPN (for large
implementations) to handle the encryption, because if your firewall (or
router) is busy handling encryption, it is not handling its primary tasks.
This issue directly relates to the opportunity costs.

What about integration?  What if the other site uses different VPN
technology?  How expensive is it to find a common solution?

A quote from the Wall Street Journal, March 28, 2000, page B8, article
"Internet Encryption's Password is 'SLOW'" - "Although the tools for
hacker-proof communications have been available since 1977, they are not
widely used because they are often slow, tricky to install, and difficult to
link with other systems".  The WSJ may not be the best source for technical
knowledge, but they do know something about costs.

[And Paul, I got your last comments, and we will agree to disagree about
whether dial-in lines are as open as the Internet, but I certainly
understand from the HIPAA language how you reach that conclusion.
Everywhere else, I think we agree.]

Regards,
Kent Dallas

-----Original Message-----
From: Bennett Todd [mailto:bet at rahul.net]
Sent: Tuesday, March 28, 2000 8:55 PM
To: Kent Dallas
Cc: VPN at SECURITYFOCUS.COM
Subject: Re: ATM and VPN's


2000-03-28-20:29:58 Kent Dallas:
> I have yet to hear the argument that encryption is inexpensive.

Ok, for completeness I'll offer that argument:-).

In settings where I care about security, and two nets with different
security policies connect to each other, I deploy a firewall.

To my tastes, the very best firewall is an Open Source Unix box
running a suitable mix of packet filtering, proxies, and
high-security daemons to address the security policy and
functionality needs of the setting.

As I'm deploying on commodity hardware, I enjoy the ongoing
exponential improvements in CPU performance, and the processing
requirements of a firewall rarely begin to use the resources
available on even modestly-priced boxes today.

Hence, in networks that I configure, VPN can be essentially free for
nearly all purposes. About the only time it would get expensive
would be if I felt a need to try and encrypt, with negligible
performance impact, a really huge pipe, say T3 or better. I'll admit
I do try and design around needing encrypted pipes that fat.

-Bennett

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list