Clarity, please

[Stephen Chowning]

Well, what I would like to do is connect a small ( read low bandwidth) office
to a cable modem with enough security to prevent anyone from accessing client
information, and connect the same small office to a one user remote location
via a secure link. My priorities are:
1. security
2. ease of setup
3. cost

My main concern is setting up a system that will allow vpn or ssh ( or some
other secure method) via the cable modem. From reading posts to this
newsgroup, this seems problematic via VPN over a cable modem. As I have never
set up either vpn or a ssh connection before, my knowledge on these matters is
limited.

My main goal is to avoid a situation like the one that occurred when I set up
a laptop to connect to the internet via a cell phone. After several hundred $s
in equipment, and several tech support personnel until I found one that could
actually tell me how to configure things, I found out that you were lucky to
get a reliable (read stable and above 4800 baud) connection 1 time in 10
tries.

stevens mary wrote:

> It depends on what you want to do.  If you are merely a home user on a
> cable connection and want to connect multiple machines behind 1 ip address
> as cheap as possible then the netgear/linksys boxes are the way to go.
>
> However the netscreen is pretty flexible and can do a lot of things.  If
> you are considering setting up a small office and say want to only allow
> certain people to access the internet, or you want to limit the protocols
> that they can use to access the internet than the netscreen is the way to
> go.
>
> Other things that it can do that the cable routers typically don't:
> VPN termination and initiation
> The firewall rule sets are much more flexible to say the least and you can
> generally have more of them.
> You can force users to authenticate at the firewall for all outbound
> traffic or certain types, etc.
> The NAT is a little more full featured.
> It can also go in in transparent mode, which is useful if you want to keep
> your addresses behind it visible to the outside world. Not typical of
> cable modem users, but maybe true for ISDN installs.
> It can go in in route mode, not NAT'd.
> I happen to like the command line interface more on the netscreen. I can
> tftp configs to and from the box, etc.
> With the netscreen you can talk to it via ssh, which if you are
> maintaining a firewall remotely can be a good thing.
>
> (I don't work for netscreen, I have just used their devices and happen to
> find them useful.  It is like getting a full sized firewall for $500.
> For businesses they are very nice.  That said though I
> also have a netgear cable router on my connection at home.  If I could
> justify it I would probably spend the extra money on the ns5, but
> considering I got the netgear for $50 after rebates a couple of months
> ago it is hard to justify the $450 difference.)
>
> Mary Stevens
>
> On Thu, 21 Jun 2001, Stephen Chowning wrote:
>
> > What does Netscreen 5 do that the cable/dsl routers/firewalls don't?
> > IOW, why pay $500 for the Netscreen vs. under $200 for the cable/dsl
> > router/firewall?
> >
> > Christopher Gripp wrote:
> >
> > > I'll address your later question first.  If using software on a PC it
> > > will likely use 2 ethernet cards.  One will typically connect directly
> > > to the ethernet cable coming from the ISP device (cable or dsl modem)
> > > the other would plug into a hub with all other workstations.  Those
> > > workstations would then point to that 1 PC as their path to the
> > > internet or anything else that is not on their local lan.  This can be
> > > a cheap and easy implementation but you would need to add the cost of
> > > the PC to the cost of the software to get an acurate estimate.
> > > Compared to say a Netscreen 5 or some other VPN hardware that can do
> > > firewalling, vpn and routing, it begins to not look so cheap.
> > >
> > > A lot of people on this list like to use xNIX based products like
> > > FreeSwan for VPN, and other apps for firewall, routing and such.  But
> > > that would require you to be familiar and comfortable with setting up
> > > linux or some other variation or unix.
> > >
> > > If your TCP/IP experience is limited an "appliance" like the NS5 will
> > > do very nicely and they come in 2 models.  10 user and unlimited
> > > user.  The cost is ~$500 and $1000 respectively.  There are others but
> > > in my experience I like NS the best.
> > >
> > > Christopher S. Gripp
> > > Systems Engineer
> > > Axcelerant
> > >
> > > -----Original Message-----
> > > From: Stephen Chowning [mailto:schowning at home.com]
> > > Sent: Thursday, June 21, 2001 9:18 AM
> > > To: VPN at SECURITYFOCUS.COM
> > > Subject: Clarity, please
> > >
> > > I am (sooner or later) going to hook a (mostly Mac, one PC) small lan
> > > to
> > > a cable modem internet connection. I have looked at various hardware
> > > solutions (cable/dsl routers) available for under $200. And at
> > > software
> > > solutions such as IPNetRouter for under $100. IPNetRouter claims to do
> > >
> > > all that a hardware device does for less money. As the hardware
> > > devices
> > > are not that much more $, I don't feel that this is a major issue. I
> > > would like to implement VPN also, so I would like to know which option
> > >
> > > hardware vs. software is the better solution especially as it pertains
> > >
> > > to implementing VPN, but also in a more general sense, i.e. ease of
> > > setup/use, security, etc. From reading the posts to this newsgroup, I
> > > suspect that the main difference will be what my cable co. allows or
> > > disallows as far as encrypted packets.
> > >
> > > On another note, does anyone feel like explaining how the software
> > > solution protects the non-gateway machines on the lan? I believe that
> > > I
> > > understand how the hardware works, having an upstream and a downstream
> > >
> > > connection. But my simple, small lan has an ethernet hub with all
> > > devices plugged into it. Would the gateway machine need two ethernet
> > > cards, one designated as "upstream", the other "downstream" plugged
> > > into
> > > the hub?
> > >
> > > Thanks,
> > > Steve
> > >
> > > VPN is sponsored by SecurityFocus.com
> >
> >
> > VPN is sponsored by SecurityFocus.com
> >


VPN is sponsored by SecurityFocus.com