VPN Information

David Gillett dgillett at NIKU.COM
Thu Feb 22 17:47:37 EST 2001 

  We're using NetScreen firewalls at each of our sites, and relying on their
capabilities for point-to-point VPN connection.  Until their latest release,
they haven't been able to route traffic from one tunnel directly into
another, so this required a fully-meshed set of tunnels -- potentially 210
to link our 15 sites!  (In fact, some of the outlying locations rarely
connect to each other, and so not all 210 are defined....)
  A second issue concerns tunnelling from inside site A to inside site B and
then crossing the firewall from inside to DMZ; that may also be implemented
in the latest release although perhaps its harder to do.

  The third issue -- one that doesn't just apply to NetScreen and which no
device vendor can likely fix -- is that while the Internet is usually drawn
as an undifferentiated cloud, in fact different carriers peer with each
other to varying extents and in varying locations.
  A recurring nightmare involves sites served by different carriers A and B
who have no direct peering point.  Often, traffic from A to B will be
carried on C while traffic from B to A flows over D.  So we now have four
carriers in the mix, two of whom don't have us as customers, so we have zero
influence/leverage with them.  So when the gateway between B and D becomes
overloaded and starts to drop packets, our "secure" connection rapidly
degrades below usability.  B points its finger at D and shrugs.
  A few carriers will offer an SLA (Service Level Agreement) *IF* all of the
sites involved are carried by them.  We've been migrating our sites to UUNet
for this reason; you have to determine if their premium pricing is worth it
for your case.


  I'm not sure what characteristics would lead you to deploy different
solutions for home and travelling remote users.  We're using the Cisco VPN
3000 for both, and in fact for our most recent business-to-business
"extranet" link as well.  (I think there's actually a PIX on the other end
of that connection.)  We actually selected this solution while it was
Altiga, based on four primary criteria:

1.  Initial PPTP support with the option to move up to IPSEC.  In practice,
limitations of the PPTP support and ease of IPSEC had us move up right from
the outset.

2.  Initial NT domain authentication with the option to move up to SecurID
authentication.  We've had two minor "scares" -- less than full-fledged
incidents -- which would have been avoided if we had deployed SecurID, but
we haven't yet managed to work it into the budget.

3.  Most of the products we looked at would have required us to expend major
effort and hassle to manage/track the client licenses issued to our remote
users all over the globe.  So far, we haven't had to do that, and we're
hoping Cisco recognizes and preserves that advantage!

4.  Competitive pricing across a wide range of performance.  Although growth
has slowed somewhat, we were deploying into an enterprise that was doubling
in headcount every 3-4 months.  We were willing to pay a bit more for the
box (about the same after client licenses, see item 3!) for the knowledge
that if our remote user base exploded, we could keep pace for a good long
time by installing SEPs as warranted.

David Gillett
Senior Network Engineer
(650) 701-2702
Niku Corp. "Transforming the Service Economy"



-----Original Message-----
From: DePriest, Jason R. [mailto:jrdepriest at ftb.com]
Sent: Thursday, February 22, 2001 1:39 PM
To: 'dgillett at niku.com'; VPN at SECURITYFOCUS.COM
Subject: RE: VPN Information


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are stuck in a similar situation.  My department is evaluating a
couple of different VPN solutions.
We have recently realized that there is no "magic bullet" solution.
We have the potential to need three different products: one for
remote home users, one for business to business, and one for remote
travelling users.
What products do you use and why did you choose them over the other
available solutions?

Thank you!

Jason R DePriest, GCFW
Network and Systems Administrator
First Tennessee National Corporation
InterActive Services Department
ph: 901/523-5777, fax: 901/523-5537
email: jrdepriest at ftb.com

Disclaimer:
The views expressed in this message, while not necessarily the views
of
First Tennessee, are non-the-less confidential and not to be freely
distributed to external sources without explicit permission from the
sender of this message or from First Tennessee National Corporation.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOpWHwQM/Ws9rwlG9EQJfDACggkVRu4IPuQn2dCrZo3BR+sVgH88AoJAR
myJTM7PlkmESFQOs2WCuuOi7
=YwvU
-----END PGP SIGNATURE-----

-----Original Message-----
From: David Gillett [mailto:dgillett at niku.com]
Sent: Wednesday, February 21, 2001 8:42 PM
To: VPN at SECURITYFOCUS.COM
Subject: Re: VPN Information


  The answers I'd give to these questions depend on whether we're talking
about VPN as a WAN technology (VPN between sites instead of
Frame/ATM/dedicated links) or as a remote user technology (VPN from ISP
dialup/DSL/cable-modem back to main office).  It's possible to use the same
vendor for both, of course, but we didn't, and the issues involved tend to
be different as well.

David Gillett
Senior Network Engineer
(650) 701-2702
Niku Corp. "Transforming the Service Economy"



-----Original Message-----
From: VPN Mailing List [mailto:VPN at SECURITYFOCUS.COM]On Behalf Of
Bursey, Rick
Sent: Thursday, February 15, 2001 11:00 AM
To: VPN at SECURITYFOCUS.COM
Subject: VPN Information


Hi All,

I'm a Network Administrator with Abitibi-Consolidated, Inc. in their Grand
Falls, Newfoundland division.  Abitibi-Consilidated, Inc. is a large
multi-national paper manufacturer with many divisions (mostly in Canada and
the
United States) and sales offices located in many places world wide.
http://www.abicon.com

We are in the preliminary stages of testing and setting up a VPN for the
corporation. As part of this process we are asking other people who may have
setup VPN for their company about their experiences.

I was wondering if you would be willing to answer a few questions for me?

1.   What vendor did you use?
2.   Why did you choose this vendor?
3.   How many access points do you have?
4.   What were your experiences? ie. problems, gotchas etc.
5.   What would you differently if you had to do this project again?
6.   Any other advice you may have?

Once again, thanks for any information/advice that any of you may be willing
to
share.

Also, this is my first post to this listserv, so please forgive me if I've
done
something wrong.

-Rick.

Rick Bursey
Abiti-Consolidated, Inc.
Grand Falls Division
Grand Falls-Windsor, Newfoundland
A2A 1K1

phone:    709 292-3243
fax  709 489-6119

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list