[vpn] vpn question
Sandy Harris
sandy at storm.ca
Wed Jan 23 10:54:26 EST 2002
Markwat at aol.com wrote:
>
> I have a 5 branch company with 50 pc's throughout. Headquarters has 34, and
> there are 4 in each of the others. We are on a Windows NT network, and our
> locations are connected by frame relay at 64 Kbps. We utilize VoIP.
I would suggest you should use IPsec, although I believe earlier Windows
versions offer some VPN functionality via PPTP. See www.counterpane.com
for papers describing serious flaws in PPTP.
2000 and XP, but not NT or 9x/ME, include IPsec. So do many firewall
packages including some for NT, many routers, various dedicated boxes, ...
> To save money, and give me the ability to get higher bandwidth, I would
> like to get rid of the frame relay, and switch to a VPN. I have done a lot of
> research, but am still confused as to whether I can simply implement Windows
> NT (or Windows 2000) software VPN, or if I need to implement a hardware based
> VPN. I also am considering the possiblity of outsourcing. Can you offer me
> some advice?
For a network of that size, and moderate bandwidth, you could certainly use
software, given some reasonable boxes as the gateways. Some estimates of
software performance -- for a Linux IPsec, but 2000 or XP shouldn't be too
different -- are at:
http://www.freeswan.org/freeswan_trees/freeswan-1.94/doc/performance.html
That you could use software does not necessarily mean you should.
Some IPsec products are "only clients", they will do IPsec for the machine
they are installed on, but will not work as a gateway doing IPsec for a
network behind them. I have been told Windows 2000 Pro is in this category
so you have to buy the server version for gateway applications. (Someone
who does more Windows work than I please leap in and confirm or correct
this!)
If that is the case, buying a dedicated VPN box may be cheaper than doing
it with Windows. Even if it costs more, the dedicated box may be easier
to administer.
Also, check with the vendors of whatever routers and firewall products
you use. Most of these now offer IPsec, and several provide methods of
integrating with NT security management.
Likely othewise surplus PCs running an Open Source IPsec implementation
could handle this. This would be a reasonable choice if you have some
Unix expertise in the shop, likely not otherwise. www.freeswan.org for
Linux Ipsec, or any of freebsd.org netbsd.org or openbsd.org.
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list