Are the VPN Alternatives Enterprise Ready?

← Back to Stories (view on slashdot.org)

Are the VPN Alternatives Enterprise Ready?

Posted by Cliff on Wednesday April 3, 2002 @03:38AM from the waiting-for-maturity dept.

steve asks: "There has been some talk about the newer alternative to true VPN lately. Are products like Netilla or Neoteris enough to replace the typical 'extranet'. most are based on simple SSL technology and somewhat limited in what applications you can run or use them for but they do give a simple web based interface. Has anyone out there played with any of these? Are they truly worth a look yet? Would you be concerned about potential browser issues (security or otherwise) creating a back door on your nice firewall?"

26 comments

Min score:

Reason:

Sort:

Sounds interesting! by balamw · 2002-04-03 04:27 · Score: 3, Interesting

We've been using a Compatible Systems Intraport 2 (now aka Cisco VPN5000, and end of lifed) for IPSec based VPN services for a few years now. The number one problem we've had is the clients establish a good connection, but then clients can't seem to be able to resolve names reliably using WINS, so they need to hardcode some of our server addresses in LMHOSTS. (NOTE: Recent clients seem far more robust in this respect).
So, the very people who should be using it, users out in the field won't because they have been burned before. So, I was recently setting up IMAP/SSL and OWA/SSL access to our email server using stunnel as a backup, in case the VPN client doesn't feel like resolving names.
They seem to like this, so I was also looking at using one of the many variants on smb2www over SSL to provide backup access to our NT file servers, but I wanted to limit what servers and shares they could see this way from the outside. If these products can do that, then I might just recommend them for our company!
Balam
1. Re:Sounds interesting! by SuiteSisterMary · 2002-04-03 04:59 · Score: 2
  
  I just find that VPN tends to be a real hit/miss sort of thing; it's delicate, it's fragile, and split networks present a lot of programs some very real difficulties. And heaven help you if you're trying to VPN *out* through a firewall. Once you've got one working though, especially if you've broadband at home, you're golden.
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
2. Re:Sounds interesting! by squeegee-me · 2002-04-03 05:29 · Score: 1
  
  Not ment to be a target for flames, but one of many things I did learn at my old job is this:
  
  Microsoft Networking - It's broke it's broke it's broke it's broke it's broke it's broke it's broke...
  
  We had a similar problem with our two offices and name resolution. We implemented WINS on both sides of the WAN and it still never quite worked right, until we switched everyone over to the new w2k domain that had WINS on both the PDC and BDC, and ran DHCP instead of static IPs. End result, it worked, usualy, and users liked having the new harware to support w2k pro.
  
  --
  Who wants Pork Chops?
3. Re:Sounds interesting! by wfrp01 · 2002-04-03 05:49 · Score: 2
  
  I'm also using a 5000 (5001, to be precise). We got it because Cisco provided a Mac client. Like you say, now it's end of life. The equivant 3000 series box they're willing to trade us has no Mac client. Interesting that you say the WINS problem was alleviated by newer clients. I had the same problem. It eventually went away, but enough things had changed that I was never really sure which change actually precipitated the improvement...
  
  The thing that scares me about the Netilla product is the phrase proprietary adaptive Internet protocol (AIP) which can be found on their technology overview page. These both look like very interesting products, but proprietary anything scares me. Because ipsec is an open protocol, I can compare the advantages/disadvantages of using the discontinued 5001, a less-capable 3000 series, or FreeS/WAN, for example. There are also a number of ipsec clients to choose from. What happens if Netilla goes out of business? With no competition, how do I know I'm paying a fair price? Etc.
  
  I haven't been able to find any information about the technology underlying the Neoteris solution.
  
  I guess my basic point is that we've been slowly migrating toward open solutions, where possible. I'd hate to start moving back in the other direction. We willingly paid good money for the convenience that the 5001 offered. I like the idea here, but I really can't see how it's necessary to make something proprietary to sustain a good product.
  
  The primary differentiating factor here seems to be the web based client. Using PFS, 3DES, and proper authentication, there's no need to worry about ipsec security. Ipsec clients come standard w/ Windows 2000 and XP. There are readily available Mac clients as well. I'm also not understanding how, say, browsing SMB shares via a web browser would work. Why not use the highly evolved tools available w/ the OS for doing this?
  
  I could certainly use some more info, but for now, I'm fine w/ ipsec.
  
  --
  
  --Lawrence Lessig for Congress!
4. Re:Sounds interesting! by balamw · 2002-04-03 07:15 · Score: 1
  
  I agree wholeheartedly with everything you say. The use of IPSec and availability of Mac and linux clients for the IP2 was also the main draw for us. (Even though we have only ever had Win clients). However I'm not entirely adverse to a proprietary solution that converts from one set of standard protocols to another.
  Unfortunately, I guess we just bought into IPSec too early, before it had matured. According to various people on the the mailing list there have been few reports of successful interoperability between the VPN5000s and either the native W2K client, Free S/WAN or pretty much anything else that might be useful for a remote and mobile client. :-( (Yes, some point-to-point tunnels seem to work.)
  As one of the other respondents mentioned, the primary reason I was looking at providing some access to SMB over WWW is that the early MS clients themselves are broken, due to their reliance on fragile technologies like the NT domain model and WINS. (Look at all the work the samba guys have had to do to replicate obscure undocumented behavior that the clients expect). By comparison IE and HTTPS are extremely robust.
  Anyhow, I'm glad that MS has seen the light and AD/Kerberos/LDAP seems far superior, but I just don't see an upgrade in the cards for us due to the heavy licensing costs. (Mainly the cost to upgrade all of our CALs). We also still have to support the many potential 9x/ME clients out there, and can't simply mandate that only remote access from 2K and above will be supported.
  As an aside, my own personal backdoor to our network has been to ssh over to to one of the linux boxes and use the command line tools to do whatever I want. I've also successfully used VNC over ssh to access apps on my destop, and provided this capability to others in the company when they have needed it.
  Last, but not least (and slightly OT) I just don't "get" how the native 2K IPSec client is supposed to work over dialup to a random ISP POP. There does not seem to be a way to turn on or off the IPSec tunnel in a similar way to the Cisco client behaves. Am I missing something?
  Balam
5. Re:Sounds interesting! by wfrp01 · 2002-04-03 07:42 · Score: 2
  
  I'm not entirely adverse to a proprietary solution that converts from one set of standard protocols to another.
  
  Hmm, which part is proprietary, and which is not? The Cisco VPN clients are proprietary, for example, but the ipsec protocol is not. So I don't feel I'm in much danger of committing to the vagaries of a particular vendor. There must be a java client, if these things word via web browsers. Is that the proprietary piece? I see SSL and certificates mentioned - that part is certainly open.
  
  As for turning the native 2K client on and off - I know that via the mmc ipsec snap-in you can toggle the active state of your defined ipsec policies on and off. Via the Options... dialog, you can limit user actions, and then save the whole thing to the desktop. Not quite as simple as the Cisco client, but not too awful. I've been dealing with the Cisco clients myself, so I'm still figuring this out myself. It's something I've started looking at though, due to the 5001 being discontinued and because of our desire to have some form of redundancy in place. FreeS/WAN on a couple of boxes costs a lot less than a couple of (discontinued/lacking-clients) Cisco boxes. Not sure where we're headed with this yet, though...
  
  --
  
  --Lawrence Lessig for Congress!
6. Re:Sounds interesting! by dago · 2002-04-03 08:24 · Score: 2
  
  There is a client for cisco 3000 series for Mac. In fact, there's a Cisco client for MacOS X and another (can't get the name now) for older versions (or at least 9.x)
  
  --
  #include "coucou.h"
7. Re:Sounds interesting! by wfrp01 · 2002-04-03 09:37 · Score: 2
  
  Can you point me to a link? According to this, the VPN 5001 can be swapped for a 3030. The itemized list of clients on the 3000 series page doesn't include Mac.
  
  --
  
  --Lawrence Lessig for Congress!
8. Re:Sounds interesting! by dago · 2002-04-03 19:58 · Score: 2
  
  I wrote a long answers but it didn't post it ...
  
  anyway ...
  
  cisco.com -> software -> VPN -> 3000 : Clients
  (require cco login and des export authorization)
  
  if you want, I can send it to you.
  
  dago158 at advalvas dot be
  
  other software for macos9 : netlock.com
  
  --
  #include "coucou.h"
has anyone ever used Xserver for this? by BroadbandBradley · 2002-04-03 05:35 · Score: 1, Offtopic

If both ends were Linux Boxen, and I opened an connection Xsession from inside the intranet, would it make lots of issues like DNS mute?

--
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
Useful Windows/Linux VPN link by kableh · 2002-04-03 06:36 · Score: 3, Informative

Great info on using Windows 2000/XP with FreeS/WAN here: http://vpn.ebootis.de/.

We've been using a Win2K server as our VPN server up til now. It works well enough for the 3 to 4 people who use it regularly, plus my boss and myself. We've had some problems with DNS though. Sometimes when someone VPNs in it causes the server to resolve to the VPN client's IP, even though the DNS server is configured otherwise. Go figure...
Re:Modded down by Anonymous Coward · 2002-04-03 08:13 · Score: 0

not to be stupid or anything, but couldn't people just go to http://slashdot.org/palm and not have to deal with your shitty ass formatting? And slashdot is 1000x faster then your shitty ass site!

Oh and still not ads over there!

Thank You for your Time
TheAnonymousCoward
Aim: slshdotfp2002

--

Boycott AfterSlash.org 'cause it sucks!
mod parent up! by balamw · 2002-04-03 09:08 · Score: 1

This looks like a great page, and may just be the solution for those of our remote users on W2K...
I was desperately looking for something like this a few months ago and only found pages describing the converse, i.e. how to connect FreeS/WAN to a W2K Server VPN.
Balam
FreeBSD MPD-Netgraph by GombuMstr · 2002-04-03 09:46 · Score: 2, Informative

We have successfully used mpd on FreeBSD to connect our Windows 2000/98 machines and it has worked flawlessly. We use this for our vendors to support there products and we haven't heard a problem about it. I have tried this with Windows and I could never successfully set it without problems.
VTun, PPTP, Free/SWAN by Anonymous Coward · 2002-04-03 09:54 · Score: 2, Interesting

For Linux to Linux VPNs where network transparency is key, i use VTun and Linux kernel bridging to create a single-subnet VPN, which works great.

Enterprise-ready? Well, i wouldn't know about that, but i did run our companies (40+ person) LAN over a VTun tunnel for 2 months without a problem, where all the servers stayed at one location, and all the clients were at another premise. All connectivity, including internet traffic went over the VTun link.

For Win2K-based road-warrior type applications, i use PPTP with MS-CHAP2 and MPPE extensions, which works well, though Windows Networking doesn't work so well over multiple subnets.

I haven't used this enough to really comment on it's stability/performance

I have Free/SWAN IPSec compiled and ready to test, but it seems like a bit of a nightmare to set up.

It has easily the most confusing documentation and configuration file layout of any VPN-type product i have tried.

Personally, i use VTun between my firewalls at home and work if i need transparent VPN, though ppp-over-ssh and X-over-ssh suffices 98% of the time.
1. Re:VTun, PPTP, Free/SWAN by pmsr · 2002-04-03 10:02 · Score: 2, Informative
  
  Or use Cipe. It comes with Redhat 7.X already and it has a WindowsNT/2000 client. Works like a charm and guess what, it is NATable. No fiddling with firewals. Try that with Ipsec, folks.
  
  /Pedro
2. Re:VTun, PPTP, Free/SWAN by noahm · 2002-04-03 16:30 · Score: 3, Insightful
  
  I have Free/SWAN IPSec compiled and ready to test, but it seems like a bit of a nightmare to set up.
  It has easily the most confusing documentation and configuration file layout of any VPN-type product i have tried.
  Really? I found FreeS/WAN's docs to be amazingly helpful. The config file is certainly a bit different from some of the others out there, but it does work well.
  In general IPsec is a great tool for creating VPNs, and since more and more operating systems are including it, it allows for a high level of interoperability (Win2k, Linux, and *BSD, and I think Solaris 8 all include it). The FreeS/WAN people have lots of interop documentation on their site, and as more is written a lot of the current voodoo will be eliminated.
  I have recently been doing some interop testing of x.509 certificate-based IPsec authentication between Linux and the KAME implementation (NetBSD, FreeBSD, BDSI), and am writing a document describing the process right now (available at http://web.morgul.net/~frodo/docs/kame+freeswan_in terop.html, though it's not done yet). Certificate-based authentication is great because it eliminates the key distribution problem and makes large-scale deployment a possibility.
  noah
3. Re:VTun, PPTP, Free/SWAN by Anonymous Coward · 2002-04-03 17:48 · Score: 1, Informative
  
  CIPE isn't bridegable, even though they say it works on their site.
  
  In the mailing lists, it is revealed that no, it doesn't actually work with bridging.
  
  I wasted so many hours trying to get f*cking CIPE to work before switching to VTun...If you don't need bridging though, yeah it works well.
4. Re:VTun, PPTP, Free/SWAN by Anonymous Coward · 2002-04-05 01:46 · Score: 0
  
  What about PoPTop?
AltaVista/Compaq Tunnel? by Anonymous Coward · 2002-04-03 18:45 · Score: 0

Posting anonymously to protect my employer (don't ask)

We use the AltaVista/Compaq tunnel as the VPN solution where I work. It works well but the client is Windows-only, even though we did manage to find a leaked version of the server (an RPM built for Red Hat 5.2).

Anyone here know if there's any resources for getting THAT working under Linux?
Aspelle & Aventail by Anonymous Coward · 2002-04-12 01:10 · Score: 0

The problem with most VPN alternatives is that they aren't really, instead they are secure web portals. Products like Aspelle and Aventail offer almost full TCP functionality and as such can be used with Telnet, Terminal Services, VNC, etc. A question we deal with often is exactly why someone doesn't want a VPN, and the reasons are often due to a lack of understanding.
1. Re:Aspelle & Aventail by Anonymous Coward · 2002-04-14 02:14 · Score: 0
  
  And also AppGate