Slashdot Mirror
Subcontracting VPN Solutions?
musikit asks: "My company has recently decided that they have too many sites to have people e-mail back and forth requests for forms, and documentation. They would like to find a subcontractor that would set up a site-to-site VPN connect which would allow our system to do all the usual tasks (http, https, webdav, samba, imap, pop3, etc). I have been looking all over for a subcontractor and every search seems to point me to learn more about how VPN technologies work. Has the Slashdot crowd had any experience in subcontracting out a VPN solution? Would anyone care to recommend a starting point for us to find/compare/contrast different VPN contractors?"
http://www.microsoft.com/resources/documentation/W indowsServ/2003/standard/proddocs/en-us/Default.as p?url=/resources/documentation/WindowsServ/2003/st andard/proddocs/en-us/sag_ias_depl_dial.asp
Nothing for you to see here, Please move along.
I do it!
:-)
A friend and i have been successfully selling small VPN boxes.
Here in Peru, most businesses are using ADSL, only to find that e-mailing files back and forth between different offices isn't any good. We then sell them a box, (internally run a very stripped down linux with OpenVPN) install one on each office, and voila! a WAN!
-Kz-
The Windows Server system allows for this type of thing with little more than a click of a checkbox. Your local Windows admin probably already knows about this, and just needs the go-ahead to put it into practice.
An office that I was in charge of needed exactly this kind of thing and the Windows solution was the most straightforward of all the other choices. There are a lot of third party possibilities, but setting people up with an RDP connection to the main server (user-restricted, of course) was the best choice for all involved. The VPN solution which introduced a new computer onto the network each time was not the right solution, though.
I work for a Large US Bank, and our VPN is outsourced to AT&T, who subcontracts it to some (apparently) 5 man shop in Middle America somewhere. It sucks. It blows. I can't articulate how lame these people are. Problems? Sorry, we're a time zone away, so we're not here. Need something changed? Well, we'll TRY and get in remotely, but in case, can you have someone onsite reboot our box?
Buy a bunch of Netscreen firewalls. Get a permanent IP connection. Set up IPSEC tunnels; click, enter preshared key, click, click, done. Profit. It just works.
I want to delete my account but Slashdot doesn't allow it.
You really dont need to subcontract this out. Just get m0n0wall. It is a free embedded firewall package that runs beautifully, and supports all the VPN stuff you could ever want.
It is absolutely perfect for site to site VPN's. All you need is a static IP address for each endpoint. I run ours on a Soekris net4501 embedded computer. Total cost of computer + flash card + hardware encryption accelerator chip = $300. This is cheap for what you get.
The Ro Factor - Jeep/Linux Weblog
.. you could just buy a Linksys WRT54G, flash the firmware, and have a VPN solution for under 60 bucks USD (oh, plus a bonus WAP).
http://www.gls.com/
They can provide support for the connection and the router, and open tickets with the LEC if the link goes down.
i can't understand how these people get hired who can't even fucking tie their own shoes. if you're asking about site to site vpns you obviously already have internet access & the associated routers. nail up a fucking ipsec/gre tunnel you goddamn halfwit.
At my former company we subcontracted a managed VPN service through Qwest, between our California stores and headquarters in Seattle.
We found the Qwest solution to be advantageous because though the actual connection itself was slightly more expensive than a full T1 to the 'net (and significantly less expensive than a point-to-point to California), we had a full SLA on the service itself. We had a guarantee of no greater than 50ms latency between sites, a full bandwidth guarantee, etc.
The network itself was fully on Qwest's private OC-192 backbone, and we had the option of bringing in Internet access at whichever locations we would like, and for those connections Qwest would provide firewalling with their Nortel Shasta boxes.
Now that I have left that company I am even happier that I put in those connections, as no one has to learn anything new about the VPN, such as how to configure it, etc. We provided our own Ciscos.
I did try (for a few short weeks as a demo) AuBeta's service, which they claim to be a private ATM network. It was such a miserable failure, and their response time was abysmal. I would never recommend their service. Come to find out later, though they bash VPNs as being worthless compared to their ATM solution, they are actually using VPNs as part of the backbone of their network. This from the guy who designed the thing.
Hope this helps.
------------------ D. A. Davenport: http://www.firebin.net
Sprint has a network based VPN service.
www.tls.net
http://www.pillarsystems.com/ They are out of Vienna, VA. (shameless plug for my little brother's company, but I wouldn't recommend them if they were not GOOD)
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
This service seems to be the darling of fortune 50's .. probably because it used to be IBM Global Services.
The problem is its basically IPSec with some propetary crap thrown in just to piss us off.
It works in Windows only (of course), and they refuse to even discuss supporting other users.
FOR GOD SAKES whatever you do make sure it will support more than just Windows users.
What are these companies thinking going with this propetary crap. I mean who is most likely to be the heavy users of the VPN? The IT support staff, who ALSO ARE the ones most likely to NOT use Windows.
-- Given enough time and money, Microsoft will eventualy invent UNIX.
It's not that hard to do, if you're willing to read a bunch of manpages.
:-)
Get a fixed IP DSL and a Soekris net4801 for each site. Add a laptop hard drive or compact flash with OpenBSD on it. Read the man pages for "vpn" and "pf". Implement as appropriate to your site.
Hardware cost is under $500 per site. Ongoing cost is your local DSL price. Add your labor, including the time spent learning about OpenBSD and the cost of maintaining a free OS over time.
If this cost doesn't come in under 75% of the low bid from any three VPN vendors, I'll buy a straw hat and try to eat it.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Contact, VistaWiz, a provider of managed security solutions including site-to-site VPN.
Celebrate the finer things in life
If you're a small business, and don't want to be hassled with messing around with the internals for your firewall/VPN device, consider the following:
1. Purchase a Cisco PIX firewall for both ends of your VPN.
2. Purchase a SmartNET 1-year subscription with one of the firewalls.
3. When you get them inplace behind your T-1, DSL, Cable modems, put a call into Cisco and use your SmartNET support contract to have the Cisco technicians configure your VPN.
The Cisco SmartNET team works 24x7 in addition to eating, breating, and living PIX configuration.
They can also answer any question you have about VPN and security.
As a small business network admin for approx. 50 people, including several remote offices, the Cisco PIX line of firewall/VPN devices have been a lifesaver. Better yet, as you add on small home offices, you can puchase the Linksys (a Cisco subsidiary) BEFSX41 series firewalls to connect home users to your VPN very easily.
Cisco also provides a software VPN client that works with the PIX line of firewall/VPN endpoint devices. We have the VPN software client deployed across our army of laptops. If a laptop user is on the road in a hotel or at home, they simply dialout or connect tot he internet with a DSL line. They then tell their software VPN client to connect. 5 seconds later, once they're connected, they have access to our entire corporate intranet.
The final selling points for the PIX firewall/VPN endpoint are the cost and ability to fine-tune:
The cost is relatively cheap. For under $1K, you can equip multiple offices with a VPN connection. At the same time, you're protecting your offices with an enterprise-level firewall. Configuration of the firewall can be very easy via a web interface, but you can also restrict particular IP ranges from using certain ports, protocols, or just plain restrict them from access to anywhere in your entire corporation. The possibilities are endless.
Hope this helps a bit.
When we had to do the very thing you did, I ended up hiring Box Toxen, of Fly By Day Consulting; and the author of Real World Linux Security.
;)
He's one of the original authors of Berkely Unix, and he's extremely knowledgeable in *nix Security.
He did a great job for us and his price was very reasonable. Furthermore, he was available almost 24-7 to field my tech calls during the touchy installation - we pulled it off without a hitch.
If you hire him, tell him that Chris Bergeron referred you. He'll know who you're talking about.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
It's hard to believe that anyone would consider contracting out such a trivial task.
Just use iptables and ssh, and route the data over an SSL link. Then if something goes wrong you don't have to deal with a vendor, and can just fix it immediately. Voila, reliability, savings, productivity.
-I like my women like I like my tea: green-
One solution that I've used that works well is to setup a netscreen box at the main office, and then use a snapgear at the remote sites. Both the netscreen and the snapgear run Linux underneath, so technically they are both as capable, but the netscreen tends to be versital (and slightly more complex to set up) then the snapgear. Making it the more logical choice for the main office.
I haven't tried this, but Linksys does make a VPN router or you could build your own using a Soekris Net4511 and M0n0wall. M0n0wall is a FreeBSD based VPN configured via the web with an interface that is very similiar to a SnapGear. (The netscreen is also setup via the web, but significantly different then the other two) If you used one, you'll feel right at home with the other (I have no idea if this is intentional or not. And the screens are not layed out the same, they just are catagorized the same, with a similiar layout)
Anyway, all the above solutions will let you set up a VPN, either with IPSEC (complete with your choice of SHA, DES, 3DES etc encryption), or the older, less secure Microsoft Point-to-Point tunneling protocal (which I can't think of the proper name of right off hand, heck maybe P2PTP was it), and once set up they run pretty much error and maintence free (Except maybe the linksys, I've used the others though, and they all work as advertised.)
For one, the VPN would not run over the WLAN, it would run over the hard links.
For two, you could easily disable the WLAN interface if you do not have the knowhow on how to set up a DMZ with it.