[vpn] best SOHO devices

[Travis Watson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bill,

I have heard quite a bit of good feedback on the Netscreen
5xp--though the central management piece has yet to be explored some.

If I may offer a word to the wise--don't go Nortel.  That's actually
what my company is using now and I like it less and less each day. 
In fact, we hate it so much that we are going with a different
product and scrapping our entire Nortel-based VPN solution (this is
coming from a Fortune 100 company).  They are rather stable, yes. 
But they are hugely expensive, the support leaves much to be desired
(and isn't cheap either).  You *cannot* manage them centrally. 
(Nortel will argue that you can, but the best you can do is run of a
central LDAP.  Configs, OS release, patches, etc., are all done one
machine at a time.  Beyond that, the central LDAP that they actually
do offer is notoriously difficult to configure and hard to use.  And,
to make matters worse, the management is clumsy at best--hugely
frustrating at worst.  Though very intuitive, it takes several
minutes to make a simple change through their web interface.  It
takes 30 minutes or more to make rather large changes--25 minutes of
which is spent watching the web browser chug along.  Until 4.1 was
released, *no* configurations could be done via command line either. 
Even with the 4.1 release, the command line interface is hard to use
due to hyperactive timeouts and staring at the screen--waiting for it
to finally go into memory.

When doing an OS upgrade, one runs the risk of blowing away every
configuration and having to rebuild from scratch (I learned that the
hard way).  And when restarting one with a new ldap file, you run the
risk of blowing away your ssl certs--which can't be recovered, only
re-imported.

Compounding matters is their reliance upon Entrust for a PKI product
since they--last I heard--owned 25% of it.  Entrust is hugely
expensive and very difficult to work with and...they've been in bed
with Microsoft for so long that trying to get it to run on anything
but MS is challenging at best (Solaris is your only other option,
actually).  In my humble opinion, anyone who argues to run a PKI on
Windows should be publicly flogged.  We actually received
documentation regarding configuring Entrust on Solaris that
specifically stated that it was for Windows 2000.  When we argued
that a mistake must have been made, we were told "the configuration
is the same."   (I suppose we were supposed to edit the Solaris
registry).

To pile on to my diatribe, unless there have been improvements made
to the 4.1 code, there is no way to manage the device securely unless
you actually come in as a client.  It's all port 80 and 23.  So, any
hacker wannabe on the inside with a packet sniffer has my username
and password and there is nothing I can do about it.

In short, I think Nortel is trash--particularly for the money they
charge.  I would hate for you and/or the nice people who contribute
to this newsgroup to be saddled with their products.  Let them go
bankrupt and/or be bought out by a company that actually knows how to
deal with customers, make a decent product, and make money.

Sorry to vent like this, but I am so sick to death of both Nortel and
Entrust that I would like to urge, very strongly, anyone thinking
about either products to change their minds very quickly.  Believe it
or not, I actually left out a lot of details that would pile on to my
rant.

A FreeS/WAN solution with iPlanet's Certificate Manger product would
not only be far, far cheaper, but immeasurably better.  (For the
record, I don't work for Sun and/or iPlanet).

Regards,

Travis



- -----Original Message-----
From: Duross, Bill [mailto:Bill.Duross at stratus.com]
Sent: Thursday, April 11, 2002 11:41 AM
To: 'Travis Watson'; Vpn at Securityfocus. Com
Subject: RE: [vpn] best SOHO devices


I too am an avid Nokia Crypto fan although it would have been nice if
they
had incorporated a stateful firewall (they actually had in the CC100
which
was never released!).  I've been looking at replacements over the
last few
months.  If cost is an important factor, take a look at the Netscreen
5xp.
It meets all of your requirements although I'm not quite clear on
your NAT
scenario.  If $ isn't as much of an issue I'd take a close look at
the
Nortel Contivity line.  I haven't lab tested it yet, but it looks
good on
paper and in their lab.

Hope that helps,

Bill


- -----Original Message-----
From: Travis Watson [mailto:rtwatson at qwest.net]
Sent: Sunday, April 07, 2002 10:39 AM
To: Vpn at Securityfocus. Com
Subject: [vpn] best SOHO devices


Hi,

I'm looking for feedback on the best SOHO device in your opinions.

So, if it were you and/or your company, what device would you
recommend as
the best SOHO VPN device around the $500US range?

Please keep in mind that I would like it to:

1) Be able to do IPSec b2b's with T-DES/SHA-1 and IKE group2
(1024-bit)
primes.
2) Be able to play nice with others
3) Be able to NAT internally (i.e. have the distant end provide it
with IPs
and be able to NAT to those IPs without disturbing the networking
schema of
the internal net. Commonly, we find business partners that have
non-routable
space assigned to their workstations.  If we provide them with IPs,
we don't
want to have to mandate that they re-IP their network).
4) Be able to support 5 to 25 users (understanding that the licensing
cost
may well increase for users beyond 5 or 10).
5) Have 24x7 support available.
6) Can be managed remotely in a secure manner (centrally would be
even more
preferable).
7) Have client software available (not critical and, again,
understanding
that client software may involve further costs).
We have been recommending Nokia cc500s for branch offices up to now,
but--though we like them--they are well above the $1000 range for
hardware
and support. Additionally, they are not really the best SOHO solution
in
that it's a bit of overkill for three sales guys stuck in a remote
office
somewhere that just want to read their email and obtain files off of
shares.
Plus, of course, they will be EOL this year.

So, I suppose I'm looking for something that will have close to the
functionality of a cc500 but is less powerful and more affordable.

Any and all feedback is much appreciated.

Regards,

Travis
rtwatson at qwest.net


VPN is sponsored by SecurityFocus.com

VPN is sponsored by SecurityFocus.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPLjHsWi85ZG+FfBoEQIbQgCgurcsKxSWL9FCULZfnSFJj6Rk058AoJIK
d0yjFeCc82DLzxILoCcVI56r
=5aYT
-----END PGP SIGNATURE-----


VPN is sponsored by SecurityFocus.com