RE: [fw-wiz] VPN concentrators

From: Schouten, Diederik (Diederik) (dschout@lucent.com)
Date: 08/27/02


From: "Schouten, Diederik (Diederik)" <dschout@lucent.com>
To: "'Brian Ford'" <brford@cisco.com>, scouser@paradise.net.nz
Date: Tue Aug 27 13:16:02 2002


> >Client software would probably depend on Device as a number
> of beneficial
> >features can be used if you match the client to the device (personal
> >firewalls,
> >autmated upgrading of clients etc...)
> >users would be about 250 initially but up to 4000
> potentially in the future.
>
> So here is a problem. 250 users that use one client
> operating system means
> that you will need (to add?) a person to support (given some form of
> personal Firewall and some automated updating of client
> software), and
> monitor VPN clients usage full time. That's a nasty job if you add
> additional operating systems (there will always be one platform that
> doesn't get supported as well as others). That's multiple
> bodies as you
> grow to 4000 users.

But you would always have the same issue since they are remote users.

Unless you place a SOHO VPN gateway at their premises and remotely manage
it.
Not a real problem, but a bigger investment.

I suppose remote connections would probably be established using "company
provided" laptops in most cases.

And you are already administering these.

In case of personal stations, there are many tools that could take care of
the remote install of virusscanners etc, fully automated.
As long as you control what comes through the tunnel I don't see how that
would cause a much higher workload compared to office users.

> >Not sure what you mean by access control? Do you mean to internal
> >resources? If
> >VPN traffic could be split inot different network pools then
> internal
> >NIDS, and
> >ACLs could manage this (along with obvious host/resource
> access controls)
>
> Would different VPN users belong to different groups and
> would different
> groups have more or less privileges or access to resources
> than others.

Would that really make a big difference?
The big issue here was what the general thought was about "VPN
Concentrators" compared to "Firewalls" and how the should be implemented.
We added the "VPN Gateway" later on...

Depending on hopw the groups are setup, what is the deciding factor, of
course you can give them different privileges, and that is the same for a
Concentrator/Firewall/Gateway.

> >What are tehses mysterious "IPSEC issues" that we are all aware of ( or
> >perhaps not in my case) ??
>
> No mystery. NAT handling. Getting through client side
> Firewalls or filters.

These are indeed valid points... for deciding for which Concentrator/GAteway
to go.

But which VPN Client does not have NAT traversal options now?
And the ability to pass through filters/firewalls is not decided by your
Concentrator/Gateway, but by the filter/firewall that is in the tunnel's
path.

Greetings,

        Diederik