[c-nsp] Re: VPN Solutions

Joel Snyder Joel.Snyder at Opus1.COM
Thu Dec 2 07:13:05 EST 2004


 >While on the topic, can someone list pros/cons of a windows server
 >based VPN concentrator versus a VPN3000 or IOS device?

Unfortunately, there are not (yet) any good VPN solutions which work 
equally well for site-to-site and remote access projects.  I'm assuming 
we're talking IPsec, not PPTP.

Windows VPN servers are good for exactly one thing: other Windows 
clients who are in the same domain.  There is an elegant interface 
within W2K that allows you to define policy for encryption and members 
of the domain will not only automagically authenticate using 
certificates issued by the (largely defective) W2K free CA plus the user 
credentials, but will update policy transparently.

The main issues with W2K VPN servers are (a) most people on laptops are 
not that closely linked to the corporate mothership that they are 
getting policy pushed down to them, or are running other foreign 
operating systems where the policy push turns into the mother of all 
nightmares and (b) Microsoft chose the 100% standards compliant route, 
so they force L2TP inside of IPsec in order to handle user 
authentication and IP address assignment, which effectively eliminates 
the possibility of efficient split tunneling and brings a substantial 
performance hit on remote workers.

So the Windows VPN server is great for, say, a remote office where you 
own the PCs and control them and they don't move around and you have a 
nice speedy broadband connection but don't want to do a real 
site-to-site VPN.  It's also good, of course, if you want the PPTP kind 
of VPN.

When it comes to pure site-to-site VPN, Netscreen is probably the leader 
in terms of technology.  Unlike Cisco, they have a real management 
solution for complex VPNs, plus they do it FAST and CHEAP.  There are 
other entrants in the fast+cheap game (SonicWALL, WatchGuard, and even 
Fortinet is bubbling up there), but all have lousy management 
interfaces.  Cisco's interface is positively embarrassing, more so 
because they have taken a step BACKWARDS from their earlier VMS which 
kind-of worked and was a little slow to the current VMS which works even 
less and is even slower.   Check Point does a great job, but doesn't 
fall into the cheap category.

Netscreen, however, thoroughly screwed up their remote access solution. 
  They had a great looking one, but rather than clean it up and perfect 
it, they basically killed it---and bought Neoteris to solve the problem. 
  So if you like remote access VPN & Juniper/Netscreen, you have to go 
SSL VPN.  Nokia just released their own-developed SSL VPN client tool 
last week, if you like alternatives and want to go down the SSL VPN route.

For remote access VPN, it is difficult to beat the Altiga (VPN3000) box.
With role-based access policy and a huge pile of options (most of which 
you'll never care about), it's really an enterprise-class solution even 
in the smallest box.  Plus, the multi-client stuff (Win/Mac/Linux) is 
sure to keep most people happy.  Policy management is not as slick as it 
could be, but it's good enough to keep the hounds at bay nowadays. 
Nortel (Contivity) and Check Point also do excellent jobs here, but this 
is the Cisco NSP list, right?

If you insist on using a pure-Cisco solution, IOS can be coerced into 
doing a perfectly good IPsec site-to-site (as can PIX); the issue is 
management over all else.  If it's a tiny network and you don't have to 
go to VMS or can manage it all CLI, IOS is good code for the 
site-to-site stuff.

Unfortunately for Cisco fans, they have never been able to successfully 
put site-to-site IPsec and remote access IPsec into the same box.  But 
They're both there, but Altiga's site-to-site is awful, and IOS/PIX 
remote access is double awful.  So you have to buy two boxes if you like 
the all-Cisco solution.

I did some extensive testing on this stuff which is at www.nwfusion.com 
although a bit dated.  But, the products have not changed significantly 
since then; the big change has been the SSL VPN factor.

jms


-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One


More information about the cisco-nsp mailing list