> From: discuss-bounces+blu=nedharvey....@blu.org [mailto:discuss- > bounces+blu=nedharvey....@blu.org] On Behalf Of j...@trillian.mit.edu > > So what might be some good ones to try out? We have some
I think everything can do port forwarding. The decision for me is usually driven by (a) vpn, (b) security, (c) throughput / other features / cost. The reason VPN is usually the driving factor is: There are a ton of boxes out there that do vpn, simply horribly. For example, if you have an openvpn/racoon ipsec vpn/pptp vpn ... Then whenever you add or remove users, the vpn server needs to reset itself, which causes the network to disconnect for anyone using the vpn at the time of your change. This might be ok if you're only managing a home network with 5 users on it, but if you have a company with employee turnover and 15 employees... Then it costs more to have the interruptions caused by a cheap box rather than getting a good box that works better. Also, the vpn client availability... The sonicwall global vpn client is pure garbage. So is shrewsoft ipsec. And I'm sorry to say, openvpn. I am certain there *must* be some good vpn client out there, but so far the only thing I've ever found that I'm satisfied with is the Cisco Anyconnect SSL client. If your users go somewhere like Intel or whatever, which require access to the internet go through a proxy server, then the https traffic will tunnel the proxy just fine. Whereas pptp/ipsec/openvpn traffic get blocked. (Also, pptp is commonly accepted to be insecure, which is a falsehood, but the MS implementation historically has been insecure which is why people generalize and simply think pptp is always insecure.) But the most important characteristic of the vpn clients are: (a) available on every platform that you support. Ideally as a built-in package for the OS, but at least available as an installable package. (b) installable without needing the vpn to access the installer. And (c) some other considerations. When I said (b) security at the very beginning of this message, I was referencing things like deep packet inspection. A simple linux iptables firewall is not very intelligent, and doesn't recognize malicious packets and stuff like that. You may not care, and I certainly know some people who consider deep inspection a negative feature because sometimes it will block legitimate traffic, but whether you like it or not, it's a consideration. Depending on the environment, it may be a requirement. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
