Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are the VPN Alternatives Enterprise Ready?

Posted by Cliff on from the waiting-for-maturity dept.

steve asks: "There has been some talk about the newer alternative to true VPN lately. Are products like Netilla or Neoteris enough to replace the typical 'extranet'. most are based on simple SSL technology and somewhat limited in what applications you can run or use them for but they do give a simple web based interface. Has anyone out there played with any of these? Are they truly worth a look yet? Would you be concerned about potential browser issues (security or otherwise) creating a back door on your nice firewall?"

3 of 26 comments (clear)

  1. Sounds interesting! by balamw · · Score: 3, Interesting
    We've been using a Compatible Systems Intraport 2 (now aka Cisco VPN5000, and end of lifed) for IPSec based VPN services for a few years now. The number one problem we've had is the clients establish a good connection, but then clients can't seem to be able to resolve names reliably using WINS, so they need to hardcode some of our server addresses in LMHOSTS. (NOTE: Recent clients seem far more robust in this respect).

    So, the very people who should be using it, users out in the field won't because they have been burned before. So, I was recently setting up IMAP/SSL and OWA/SSL access to our email server using stunnel as a backup, in case the VPN client doesn't feel like resolving names.

    They seem to like this, so I was also looking at using one of the many variants on smb2www over SSL to provide backup access to our NT file servers, but I wanted to limit what servers and shares they could see this way from the outside. If these products can do that, then I might just recommend them for our company!

    Balam

  2. Useful Windows/Linux VPN link by kableh · · Score: 3, Informative

    Great info on using Windows 2000/XP with FreeS/WAN here: http://vpn.ebootis.de/.

    We've been using a Win2K server as our VPN server up til now. It works well enough for the 3 to 4 people who use it regularly, plus my boss and myself. We've had some problems with DNS though. Sometimes when someone VPNs in it causes the server to resolve to the VPN client's IP, even though the DNS server is configured otherwise. Go figure...

  3. Re:VTun, PPTP, Free/SWAN by noahm · · Score: 3, Insightful
    I have Free/SWAN IPSec compiled and ready to test, but it seems like a bit of a nightmare to set up.

    It has easily the most confusing documentation and configuration file layout of any VPN-type product i have tried.

    Really? I found FreeS/WAN's docs to be amazingly helpful. The config file is certainly a bit different from some of the others out there, but it does work well.

    In general IPsec is a great tool for creating VPNs, and since more and more operating systems are including it, it allows for a high level of interoperability (Win2k, Linux, and *BSD, and I think Solaris 8 all include it). The FreeS/WAN people have lots of interop documentation on their site, and as more is written a lot of the current voodoo will be eliminated.

    I have recently been doing some interop testing of x.509 certificate-based IPsec authentication between Linux and the KAME implementation (NetBSD, FreeBSD, BDSI), and am writing a document describing the process right now (available at http://web.morgul.net/~frodo/docs/kame+freeswan_in terop.html, though it's not done yet). Certificate-based authentication is great because it eliminates the key distribution problem and makes large-scale deployment a possibility.

    noah