> Contivity is also more secure than VPNet, SecuRemote, and many other
> solutions we looked at. The reason is that when someone is running the
> Contivity client, all incoming Internet traffic can be blocked -- all
> incoming and outgoing traffic go through your firewall. They also allow
> split tunneling, which is where outgoing traffic (from the client) goes
> through their regular Internet connection, but incoming traffic still goes
> through the VPN.
1. What you're saying about traffic blocking for remote users can be
achieved
with almost any ipsec compliant device by simply having the proper routing
tables
between the clients (your pre-config scenario), your firewall (and it's
rules), and
whatever routers are used in the topology. It isn't really, and shouldn't be
the job of
standalone VPN hardware to "block" traffic other than not allowing anything
but it's
own authenticated users to traverse the VPN.
2. It is default behavior of a VPN authenticated machine to send "Outgoing
traffic",
i.e. requests to hosts which are not on VPN determined networks through the
default
gateway of the machine, while packets destined for machines on the remote
side of the
VPN should be routed by the shim (client), tunneled, and sent over said
public network.
I'm not going to comment on the cost vs effectiveness of the contivity
product, as that would make
me a biased party writing a paper on the topic, but I will say that the cost
increase you mention seems
to go mostly towards the reduced overhead you've noticed, not towards
increased security.
Matt
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
