Fwd: TechTip: What's a VPN, Anyway?

David Gillett dgillett at NIKU.COM
Wed Sep 20 14:00:28 EDT 2000 

  There are two caveats that immediately leap out at me:

1.  Most of the reliability and performance problems I've seen on
site-to-site VPNs have been with the peering gateways between different ISPs
and backbone providers.  I recommend that you select an ISP who can serve
all of your locations, and get an SLA (Service Level Agreement) with them.

2.  VOIP relies on timely delivery, and Cisco's preferred way to ensure this
is to use QoS extensions on IP.  This could run you into difficulties over
three issues:

  a.  VPN encapsulation probably hides the QoS bits of the packets -- voice
gets no special treatment.

  b.  It appears that an IPSEC tunnel can experience significant delays
while recovering from a lost packet.  This may not be acceptable for voice
traffic -- although I've usually seen this at peering points (see 1 above).

  c.  I'm not sure Cisco implements QoS on anything below their 38xx series.
That's what they've been telling us we should be buying to do VoIP....

David Gillett
Enterprise Networking Services Manager, Niku Corp.
(650) 701-2702
"Transforming the Service Economy"



-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Nick
van der Walt
Sent: Wednesday, September 20, 2000 2:03 AM
To: VPN at SECURITYFOCUS.COM
Subject: Re: Fwd: TechTip: What's a VPN, Anyway?


Hi all

I am about to venture into the VPN world. I am about to start the project of
implementing a VPN on an international base. Saying this here is an
explanation of my company setup.

I am working for an international concern that is currently running a leased
line dedicated WAN from office to office. My aim is to terminate the current
WAN links and migrate to a VPN infrastructure.

The equipment I am currently evaluating is Cisco's 2650 routers with VPN
cards, and dedicated Internet connections. I am not using a VPN dial up
structure but dedicated
Connections.

Any suggestions on pitfalls I should be aware off............?

What are the implications of implementing VOIP on top of this VPN structure?


Nick
-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of Joseph S D
Yao
Sent: Wednesday, September 20, 2000 1:55 AM
To: VPN at SECURITYFOCUS.COM
Subject: Re: Fwd: TechTip: What's a VPN, Anyway?

On Tue, Sep 19, 2000 at 03:26:16PM -0400, Andrew Chen wrote:
> I found this on SearchSecurity.com's mailing list - thought it might
> be a relevant reply to David Rudolph's "VPN disables access to local
> corporate LAN" message.
>
> >Subject: TechTip: What's a VPN, Anyway?
> >Date: Tue, 19 Sep 2000 15:20:45 -0400

More directly to the point ... Mr. Rudolph's VPN client is behaving the
way a VPN client should, to maximize VPN/LAN security.  If his machine
could be on both the local LAN and the remote LAN simultaneously, it
could conceivably form a bridge of some kind between the two.  If his
machine is locked down so that it only appears to be on one of the two
networks at a time, this risk is reduced.

Most - I am told, all - IPsec clients used to allow this kind of dual
access.  I understand that more either don't allow it, or allow the
VPNmeister to specify whether it is allowed.

--
Joe Yao                         jsdy at cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list