VPN SOLUTION INFO

[Chris Carlson]

Gowri,

I'm going to step back a little on your question and
address something at the higher level.

While VPNs are great (I've been invloved with them for
years), they are not the panacea that everyone thinks.
 Like most tools, they're great for what they're
designed for, but become difficult, unwieldy, or
downright painful when you use them for something
other.

And that thing usually is partner or client
connectivity.  Without advanced profiling support,
it's more difficult to connect a partner or client
through a VPN than your own office or remote users.

You need to ask yourself some questions first,
regarding your partner or client access:

1) What applications will be used by my client?
Web-based, thin client, IP, or other.

Most companies are porting their in-house applications
to the Web and using SSL, digital certificates,
Web-based single sign-on, etc. to mitigate the need to
set up an IPSec tunnel between partners.

2) Can you guarantee the security of your partner's
network?

IPSec VPNs create a full tunnel between their network
and yours.  And security exploits rely on the weakest
link in the chain.  Even though you may firewall off
your VPN connection, without user-level authentication
and authorization for each connection (difficult with
a network-to-network VPN), you can't guarantee the
trust.

3) Can you control the network elements on your
partner's network.

An IPSec site-to-sire VPN requires proper routing
between all parties.  What if you had an internal
non-routable address space (10.X.X.X or 172.16.X.X)
that conflicted with their space?"  What if that
partner connected to other customers via a VPN and
routing was affected?  What if your partner was
running NAT?  As we know, NAT usually breaks IPSec VPN
connections.  If you don't control all network
elements, you can't guarantee supportability.

4) For client software VPNs, can you control your
partner's desktop environment?

Let's say you're going to forgive the routing issues
by rolling out VPN client software to your partner's
machines.  How can you guarantee that it will work?
What if they're using Macs instead of PCs?  What if
they ALREADY have a VPN client (not the same one you
use) on their machine?  You can't have TWO IPSec
clients on the same machine?  What if they use NAT on
their network?  NAT breaks IPSec.  How do you handle
client software fulfillment, updating,
troubleshooting, etc.?


Those are some first cut, high-level things to think
about when deploying VPNs to those beyond your
internal use, i.e., partners, customers, suppliers,
etc.

While VPNs are great for internal use, they have a
limit for external use.

Have you explored application-level solutions for your
clients?  Either Web-based, or something like Citrix?
Or even Aventail, which got out of the IPSec VPN
market and is more concentrated on the "Extranet"
market -- I think they're rolling our SOCKS-enabled
apps.

Good luck!

Chris
--

--- Gowri Shankar Bhogisetty
<gowrishankar.setty at WIPRO.COM> wrote:
> Hi,
>
> We are going to establish a VPN connectivity to our
> CLIENT over the
> internet . I need some inputs on VPN solutions.
>
> We are thinking of going for a Cisco router based
> VPN connectivity ,with
> this solution can i communicate with  different VPN
> vendors or it will
> communicate only with Cisco VPN box. Since our
> clients are using
> different VPN products. How can we integrate?.
>
> Please suggest me ,which VPN product will help us
> for our setup .
>
> What i understood was  VPN is based on the tunneling
> protocol(IPSEC
> ,GRE),  Encryption (DES,3DES) and Key management.
> with this standards i
> can communicate to any VPN box.Please correct me if
> i am wrong.
>
> Any help on this appreciated.
>
> Thanks & Regards
>
> Gowri Shankar
>
> VPN is sponsored by SecurityFocus.COM

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

VPN is sponsored by SecurityFocus.COM