RE: [fw-wiz] VPN concentrators
From: Crispin Harris (crispin@internode.on.net)
Date: 08/27/02
- Next message: R. DuFresne: "RE: [fw-wiz] VPN concentrators"
- Previous message: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Maybe in reply to: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
- Next in thread: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Crispin Harris" <crispin@internode.on.net> To: "Schouten, Diederik (Diederik)" <dschout@lucent.com>, "'Brian Ford'" <brford@cisco.com>, scouser@paradise.net.nz, firewall-wizards@honor.icsalabs.com Date: Tue Aug 27 21:35:02 2002
Hmmm, I have been through a scenario involving VPN, Anti-Virus & Distributed
(desktop) Firewalls and we found that we had a very clear choice between support
hours and firewall security.
The Anti-Virus product was relatively easily supported, as was the VPN (although
less so).
The first issue arose when we attempted to codify firewall rule sets that were
safe, effective, and relatively uninvasive. This then had to be mixed in with
Internet-Browsing vs Corporate-VPN scenarios. We found in our pilot group that
if the firewall was tight enough to be useful, the number of support calls escallated
rapidly for several weeks (our pilot lasted 2 months), before _slowly_ tapering
off to aproximately 3 times the previous level.
The desktop firewall got blamed for all sorts of evils, including (in a large
number of cases) not being able to open work documents from the local disk,
Blue-Screen-of-Death, email not arriving (outlook 2000 & exchange), and modems
failing to connect with ISPs.
When looking at the figures over the whole period, we estimated that calls would
drop to about 1.5 times the previous level after about 6-8 months, peaking again
with each new group of users, and with new employees starting in the company.
I still don't know the best response, and I think I am glad that it became a
business decision rather than a technical one.
Regards,
Crispin Harris
>> >Client software would probably depend on Device as a number
>> of beneficial
>> >features can be used if you match the client to the device (personal
>> >firewalls,
>> >autmated upgrading of clients etc...)
>> >users would be about 250 initially but up to 4000
>> potentially in the future.
>>
>> So here is a problem. 250 users that use one client
>> operating system means
>> that you will need (to add?) a person to support (given some form of
>> personal Firewall and some automated updating of client
>> software), and
>> monitor VPN clients usage full time. That's a nasty job if you add
>> additional operating systems (there will always be one platform that
>> doesn't get supported as well as others). That's multiple
>> bodies as you grow to 4000 users.
-- Sent using Internode WebMail http://www.internode.on.net/
- Next message: R. DuFresne: "RE: [fw-wiz] VPN concentrators"
- Previous message: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Maybe in reply to: scouser@paradise.net.nz: "[fw-wiz] VPN concentrators"
- Next in thread: Crispin Harris: "RE: [fw-wiz] VPN concentrators"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
