Slashdot Mirror
Remote Access Solutions for Businesses?
thajeavis asks: "We are in the process of replacing our existing remote access system for IT staff and other faculty/staff. Previously, we were using a Bay Networks (Nortel) Remote Access Concentrator with an ISDN circuit. The equipment failed and the cost of the ISDN PRI is too high based on the low usage. We are presently testing a VPN solution using the employee's own dialup or broadband connection (Cable/DSL). The issue has also come up over who is to pay for the dialup/broadband connection, the employee or the college since it will be used to work from home. I am most interested in what type of solution your institution has in place for remote access for IT staff and who pays for that access. We also are interested in what type of access, if any is available for other faculty/staff. Any insight on this issue will be greatly appreciated."
I work for a integrated circuits manufacturing company.
Our solution for remote connection is two fold. First we contract with AT&T to allow remote dial up from a number of locations. This is free for the employee (except for the required phone line of course).
VPN is also an offered as an option but there is no official policy on who pays for the employees connection. This is a smart policy IMHO. It usually requires the employee to prove they will do useful work at home before the company signs up to pay for a broadband connection.
One should not theorize before one has data. -Sherlock Holmes-
Makes firewalls which handle 10-10,000 users. Buy a smallish one (model 25 or 50), get your 4 10/100 interfaces, stateful inspection, ability to scan viruses, etc. etc. and terminate tunnels. Buy some new (pricey) or used ($250) Netscreen-5 units for the employees with broadband. The Netscreen-5 does 4 MBps at 3DES, 10MBit unencrypted, stateful inspection, all the goodies. They handle DHCP, static or PPPoE interfaces, so it should work with any ISP.
I've rolled out many "home->corporate" VPNs this way, it works like a charm.
I want to delete my account but Slashdot doesn't allow it.
We use cisco vpn, and except for a very few rare cases the employee pays for the broadband connection.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I work for a company that is one of thw USA's largest suppliers of DSL. We can get VPN access, but we have to pay for the DSL (we get an enployee discount). The company only supplies the VPN software, and that is tightly controlled.
That policy is mostly for cost cutting reasons. The idea is that it's a priviledge to be allowed to work at home (and they don't want to hear about off-hours work) so the employee should pay. They're constantly threatening to kill work at home entirely so we take the deal.
Yeah, I know... but the job market ain't so good these days.
I am a programmer for a software company and occasionally hack from home. We have a VPN in but the employee is generally responsible for his home connection.
:
... this will clearly show you who 'needs' it and who doesn't.
High speed at home is only $50 a month, plus or minus, which is maybe $30 a month over a decent dial up account. Anybody that is gainfully employed and won't pony up an additional $30 a month for high speed access doesn't consider themselves high enough up the tech food chain / doesn't respect themselves enough as techies to deserve to work from home.
Tech food chain
High Tech (this would be you and I)
Low Tech
Aztek (mouth breathing end users)
Anybody that wouldn't get high speed if they were paying for it doesn't need it bad enough for the company to pay for it. How about anybody that has had it for over a year can start expensing it
Glonoinha the MebiByte Slayer
VPN with a CA unix gauntlet firewall/vpn setup. The client is very esay to set up and use for anyone, and the GUI is close enough to the NT gaunlet to get your NT techs over the difference.
Everyone pretty much has cable or dsl, and the company will pay for 1/2 as both parties know that the other would have a dailup at the very least no matter what. This way both sides feel like they are getting a good deal. We also use Citrix on the back end and keep track of the time that the techs are logged into the system. The citrix server will log them off after 10 minutes of idle time so the company has a track record of who was busy with what, and when.
Good luck.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
What is your satisfaction level with the Bay Networks product? These products has matured into the Nortel Contivity product line which are the best that I have used, bar none. Just for the record, I have used comprable products from Cisco, Checkpoint, Sonic Wall, Netsceen, 3Com and *many* more.
Of all the products that I have tried, the Nortel Contivity was the easiest to setup while at the same time, offering the most configuration options. The performance has been equal to or greater than all of the other products. There is also a broad array of options for connection interfaces including ISDN, Frame-Relay, Ethernet, Dial-up and I think(not sure) that they even have a Contivity blade for their Passport 8600 switch.
One important feature that the Nortel offering has over the likes of Cisco is licensing cost. A seperate client software license is needed for the Cisco system and many of the others. But, Nortel gives the client software away for free. They offer client solutions for multiple platforms and even officially support Linux using FreeSWAN.
My company uses VPN for home access, and they pay for my connection. They used to provide an ISDN line to my home, and I never saw a bill. A few years ago, they switched to using VPN, and now we can file expense reports for our home Internet access (up to some dollar limit). Most people get cable or DSL.
Of course, the employees who qualify to expense their connections are the same ones that are given pagers and are expected to deal with urgent problems promptly during off hours. (They also provide company computers for home use.)
Remember, one big difference between an employee and a contractor is that the company provides the tools necessary to do the job for employees. If VPN access from home is necessary for employees to do their jobs, then the company should pay for it. If it's an optional thing, then the employee can pay for it if he wants to.
It sounds as though you had a bad experience with another Nortel prodcut. I'm not familiar with their Concentrator. However, I have a had a lot of experience with the Nortel Contivity Extranet Switch (CES) particularly the 600, 1500 and 4500) and I think they are good, stable, relatively cheap solutions that provide firewall, VPN, dialup, etc. (Just in case you're thinking it, no, I don't work for Nortel.) I've worked with these devices for a couple of years installing and providing support for them with a few govt. agencies. Look for them on Ebay.
Just my 2 cents
Co-founder and designer at Music Nearby: http://musicnearby.com
We use two solutions depending on the client side hardware. On company-owned hardware (laptops mostly), they are allowed to use cisco VPN. Since the VPN is 1>slow, 2> a pita to set up, and 3>flakey we require an SSH/Remote Administrator combo on user-owned hardware. SSH to a gateway server handles most of the mainframe needs, and allows us to eliminate telnet connections directly from the outside while tunneling Tunneling Radmin allows them secured access to their desktops. Remote Admin is much faster than VNC (although not as fast as Terminal Server), and can be configured for NT authentication
Show me what you want, and I'll show you how to get along without it...
Check out Netilla
http://www.netilla.com
Nortel VPN was used. However, in subsequent jobs, SSH was more flexible and lower cost (using non-standard ports to make port scans more time consuming). I preferred SSH, since a client wasn't even needed (you can use a web browser with a SSL protected Java client, like JavaSSH. I was able to securely access from the road by logging in from a public library. That's something that is difficult or impossible to do with a VPN. No dongles or SecurIDs to lose or manage either.
Can You Say Linux? I Knew That You Could.
We use Cisco VPN. The concentrator is a 3005 and everyone just uses the Cisco VPN Client software. It works great. If you have a need to work from home the company pays your broadband fee. If not, you can pay it.
It's about the simplest solution I could hope for. I rarely ever need to even touch the 3005. For people that can't get broadband we have a dial-in access router with a PRI line.
It would have been nice to know what OS[es] - client and server - you are using, as well as things like the number of clients you expect.
They have linux , windows, and mac clients, and our implementation uses SecurID for authentication, so at least it seems secure. (not being a security expert I have no idea if it actually is.)
DeMilitarized Server-100 had a good article on business RAS a couple weeks ago. Pretty extensive coverage, IMHO.
--there's a previous model of "cost of working" that is well established. Usually an employee who must physically travel into work pays for this travel out of their own pocket, auto, gas, etc, normal commuter expenses. That is usally more than a broadband connection cost. I would think anyone lucky and skilled enough to work from home would gladly pay a nominal fee such as this for their job access. In sales where travel costs are deductable, it usually doesn't apply until after the first 50 miles daily (IIRC), again, much higher than a monthly broadband account most places. In other words it's such a good deal for the employee compared to the alternative they should just pony it up. If your employer wants to pay it, well, that's cool too but expecting them to pay for your physical or electronic travel just to "get to work" everyday is not usually a normal expense most employers pay.
As to related expenses, not sure in the white collar IT world but in the blue collar world most jobs I have had require that I personally own and pay for "tools" which cost a lot more in aggregate than most laptops. If it was me I would just assume before even applying anywhere that an IT job would require me to have and own a laptop,and I would already own one being an "IT" guy, although if I worked inside a cube exclusively I would expect the employer to have the workstation. This is just normal, when I've had factory jobs I didn't pay for the lathe or bandsaw I was running, but on construction sites 90%+ of the tools I used were my own. I paid for my own specialised work clothing, blue collar, I paid for my own steel toed boots, rugged clothing and hard hat and gloves, white collar sales jobs I have had, I paid for my own suits and shiny shoes, and etc. I never even considered that the employer pay for this clothing.
I would think in today's economy that both employers and employees in IT would just "get real" on pay scales, corporate profits, expectations, and costs of doing business. A little of give and take both ways might result in this IT company actually staying in business and everyone concerned remaining employed. I mean, diidn't we just go through this dotbomb phenomenon? Was there nothing to learn from this?
I am reminded of the lessons of eastern airlines, an old, established, profitable enterprise that tanked swiftly once the 'stupidity and greed' factor became part of the mindset there, and was shared across the board up and down and sideways throught their organization. Where a combination of white collar mismanagement and arrogance and severe over compensation, combined with completely unrealistic blue collar union demands and expectations of compensation, resulted in *no one* at eastern airlines having "a job" after a short time frame of this attitude being adopted.
I work for a small (
My wife's Fortune 500 company however provides two tiers of access. Terminal services (Citrix) to access your Outlook remotely from any machine or a company issues laptop with full VPN access apparently usingthe built in Win2K IPSec. She has the terminal services option, which requires a SecurID fob. Terminal services is strange 'cause it doesn't let you do anything useful, such as print documents or access your network drives. So, you have to forward any documents you need to actually work on to an external address and back again.
Where I am we are also providing basic connectivity over HTTPS using Outlook Web Access (OWA/SSL) and have been experimenting with various CIFS to HTTP products to provide access to network shares. This takes care of 90% of users in a relatively easy and secure way.
BalamI work for a small (<250 FTEs) high tech telecommunications equipment manufacturer. We provide IPSec VPN access through a Cisco 5001 VPN concentrator (formerly Compatible Systems) using the employee's own 'net connection. If the employee is predominantly out in the field (such as a remote sales person) the company picks up their 'net access, otherwide the employee does.
My wife's Fortune 500 company however provides two tiers of access. Terminal services (Citrix) to access your Outlook remotely from any machine or a company issues laptop with full VPN access apparently usingthe built in Win2K IPSec. She has the terminal services option, which requires a SecurID fob. Terminal services is strange 'cause it doesn't let you do anything useful, such as print documents or access your network drives. So, you have to forward any documents you need to actually work on to an external address and back again.
Where I am we are also providing basic connectivity over HTTPS using Outlook Web Access (OWA/SSL) and have been experimenting with various CIFS to HTTP products to provide access to network shares. This takes care of 90% of users in a relatively easy and secure way.
BalamInternet access was paid for by the employer. Phones/pagers are a bit more complicated. For sure the employer should pay for all work related calls - even better would be to get a separate line just for work and expense the whole bill (cell/land line/pager).
ssh was my prefered solution for when I could work at home. With X forwarding and DSL, being at home was exactly the same as at the office. (I had a NCD on my desk, not a full computer) It worked, and is cheap. It didn't work for windows, but many people didn't have windows at home. Those that did have windows used some other solution.
My company, 80 users, uses a Nortel Contivity 1700, which provides up to 5000 end user tunnels. We've got a couple of Branch Office tunnels set up, and they also work great. It was in the area of $3700, and it's easy to administer and install.
:-(), I wouldn't expect it though, we're still too small a company.
Bummer parts, I've not really been able to test the Unix/MacOS client, but it costs money. Only the Windows clients are included with the device. You can use FreeSWAN, but AFAIK, you have to make a Branch Office Tunnel for each FreeSWAN connection, which would suck. I haven't bothered for myself quite yet.
My company does not pay for net access for our users (not even IT staff
Overall, I'd say stick with the Nortel. The client is good, 2k Domains work great, and most importantly, it's easy for users without much (any) technical skill to install and get running, or you can make packages for them with custom client distributions.
I like music
At the college I work we allow for staff to connect to school over there excisting internet account to one of the citrix boxs at school, students can do this to.. some students also have a dedicated box donated by the school running a cut down redhat install running a citrix client directly in x.
simple.
moo
Our company is a small (70 people) software development shop. Since we develop custom apps for windows, we're by necessity a windows shop (for the most part, anyway).
We're using Checkpoint Securemote for VPN access. All employees have roadrunner or dialin access and that is paid for by the company. The Checkpoint client provides complete transparency to the user, so once they are on the VPN they are on our network. Connecting to work from Roadrunner is pretty fast for us, my usual bandwidth runs around 40-60kps.
We do enforce some security policies. You should think long and hard about this for your own company. Technically any VPN client gives your computer gateway capabilities between the internet and your corporate network; the only thing in the way is the client and system security. For windows boxes, it's not much... or say rather that vulnerabilities are always popping up.
We require the following from our users.
1. Firewalling capability at home. We require one of these three.
a) A Linux Gateway w/Firewalling capability
b) A Linksys or equivalent Firewall/switch
c) Zonealarm firewall software installed on the PC running the VPN client.
Most folks go with A or B. We do NOT provide the firewall, that's up to the user.
2. Symantec Antivirus 8.0 installed and active.
We do provide the AV software.
We are almost certainly going to put Ad-Aware into the list of required software in the near future.
We tried out Linux VPN solutions, we were running FreeS/WAN before we purchased Checkpoint. Frankly, Linux VPN is a pain in the ass to administer and set up properly. We tried a half a dozen packages and nothing met our needs. We do not have the time necessary to devote to the maintenance of a Linux VPN solution. It was cheaper to just purchase a prebuilt package. Checkpoint has been very, very good, even providing us with custom patches from time to time.
when you work 'in the office' do you ask your employer to pay for the cost of commuting to work (gas, vehicle maintance, and or subway/bus/public transit fare)? No.. of course not - it's expected that you get yourself to work on your own.
The same applies to 'tele-commuting' you're reponsible for the cost of the 'commute' to work - in this case some type of broadband or other internet access.
Sure I know if I had the ability to push off the cost of my cable modem to the company I'd do it.. but quite frankly I'd rather not. If they pay for it, it becomes their 'property' and technically anything I did on it would have to abide by their rules (no porn, no mp3s, no instant messaging) and really when you cut that out what's left of the internet?
No client license costs. Download as many as you need, free of charge.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
- VPNs can be a great solution, depending on what kind of network
applications you're trying to access. Broadband feels fast, but
it's shockingly slow when compared to a 100 megabit switched
network. If you're going to transfer many files across the
network or are using fat database clients that need access to a network
share, it's going to crawl.
- Citrix is a great option if you're wanting to provide a "virtual
desktop" sort of environment. Windows 2000's Terminal Services is
cheaper (assuming you're already purchased Win2k Server and everyone's
connection from a Win2k Pro/XP Pro box), but it makes less efficient
use of bandwidth and doesn't offer nearly the same amount of
flexibility as Citrix. Think Linux, Mac, Java clients here --
Citrix can hook you up, but Terminal Services is a Windows-only
solution. Odds are you'll want a dedicated multiprocessor box for
this.
- I love firewall appliances -- they're easy to set up, require low
maintenance, and offer better reliability (no moving parts!) than
something running on PC hardware. Most vendors have good options
for VPN access as well. Something like a SonicWALL Pro300 costs
$2,200, passes 3DES traffic at 45Mb/s, comes with 50 VPN client
licenses (supports up to 1,000 on the single box), can be set up as a
pair for high-availability, now supports Microsoft's PPTP in case you
feel like you need to enable it, etc. I love Cisco solutions, but
they might not be the best choice unless you've got someone on staff
who's gone to the effort to understand how to make them do what you
want. There's a lot to be said for a good web-based
interface. Or paying someone to do it for you.
- Linux can be set up to do this for less money (depending on what
hardware you've got lying around) and with more configurability, but
there's a cost involved. Have someone set it up who understands what they're
doing. Use a hardware-based RAID array. Make sure you set
things up so that the installation process for client machines can be
explained in easy to understand language on one piece of paper. That's
front-only, not both sides. Anything else and this can turn into
a support nightmare. As a general rule, I'd say that a firewall
appliance is the best solution unless you can clearly state why you
want to use something different.
- If you're going to use something like Citrix, you can have the
client implement encryption and just pass that traffic through your
firewall. Not as good a solution as implementing a VPN, but the
support costs will likely be lower to support one applicaion (Citrix
client) than two (Citrix plus your VPN software of choice).
That's all for now. Hope this helps.Even with the improvement, it doesn't come close to using the VPN Concentrators. The issues you describe are all addressed by the Concentrators, including your concerns about the "wide open" nature of the VPN connections. (I guess it doesn't really address the speed of your WAN, but there's not much that could.)
It has a very rich suite of policy management features, so that you can restrict the corporate resources available to a given class of user. These policies can be administered on a user, or group basis.
For example, you can set the accounting group in such a manner as they are only able to access the Accounting Servers, and you can limit the ports/protocols that they can use to reach those servers.
If you're already spending a quarter million, you should be able to get Cisco to allow you to demo a 3005 VPN concentrator. My company has arranged for several of our customers to borrow 3005s for a 30 day trial, and each of them has gone on to purchase the unit, or one of it's larger, more capable cousins.
That said, I too am a big fan of SSH, and it's port forwarding capabilities. It's a very effective, secure, poor-man's VPN.
PuTTY is a pretty good client... I only wish it had Serial capabilities, so I could use it to jump on router and switch consoles. As it stands, I have to keep TeraTerm around for console access. It's not too bad, and there are crypto libs available to make TeraTerm a decent SSH client as well, but it doesn't do quite as good a job with terminal emulation as PuTTY does.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
I work for a financial institution, so security is paramount.
We found that we had serious security concerns with remote access.
We started using RSA SecurID tokens for authentication (and a tie to a database for authorization). That worked well to secure remote access from company owned equiptment (where we could control the security, set standards for antivirus, etc), but left a major exposure:
Specifically, with a VPN we could secure the transmission, but couldn't verify the security of the end point. And a big value of remote access is the ability to let people work from home on their own gear (and the inherrent cost savings to the company).
So we have a multi-tier solution as follows:
All authorized users can use web services. We make available access to the email system, 3270 access to a mainframe, and some internal applications available to authorized and authenicated users over the internet (HTTPS). These web services have the advantage of being very low cost... almost zero incremental cost per user assuming they are not bandwidth intensive.
People with company-owned equiptment (laptops) can use dial-in services, which we provide through Cisco AS-5300's, with strong authentication provided by RSA SecurID. Costs a little to invest in the Cisco gear, and costs a little to support in house.
For those wanting VPN access, we found a company that could address our security concerns... a managed VPN provider called Positive Networks. Positive addresses our security concerns by providing the ability to enforce security policy on the end computer (such as X-brand Antivirus must be installed and running with up-to-date pattern files), as well as providing a managed service at a reasonable cost (its been more effective for us to outsource this big chunk of remote access, rather than staffing for supporting it internally).
I would strongly recommend Positive Networks as a remote access solution.
No affiliation other than a satisfied user (and I'm primarily responsible for our company selecting their product).
---------
There is no try at jedinite.com