Michael,
If your users already have ISP accounts I'd suggest using PPTP. There are a couple of good implementations for Linux and the set up on the client side is pretty straight forward. We sent out a CD ROM with installation instructions for our users and it generated very few help desk calls. It's possible to configure the connection to call the ISP and set up the tunnel is a single operation.
It works surprisingly well once you get all the updates and fixes installed properly and it doesn't seem to have the same problems with NAT that IPSec has. The only consistent problem I've had with PPTP is disconnect on slow/poor connections. The new version does better but some of the remote offices still complained about having to reconnect the tunnel a couple of times each day. This wasn't an inactivity problem either because sometimes it would disconnect in the middle of an Exchange synchronization. :-[ Ouch!
The modem bank solution is easier for "untalented" users to handle but you'll find lots of reasons to dislike it especially if you decide to do anything fancy like RADIUS authentication or SecureID. For Win9x and NT users NT RAS provides a reasonably transparent dial-in option that's pretty economical to set up, fairly simple to administer and you can force it to use secure authentication (MS-CHAP).
Of course this is all contingent on your individual security needs and you're users' ability to adapt to new ways of doing things. At my last place of employment we never could get the executives to adapt to the VPN model so we maintained serveral modem pools with 800 numbers. Even at that it was difficult to get them to dial-in to the nearest modem pool.
Bill Stackpole, CISSP
>
> ------------------------------
>
> Date: Mon, 3 Apr 2000 11:03:26 -0700
> From: "Michael DeSimone" <[EMAIL PROTECTED]>
> Subject: Remote access
>
> I need to set up remote access to my internal network for randomly
> scattered, mostly unskilled people(sales) and some developers. These folks
> will be traveling coming in via various ISPs (mostly UUNET and GTE pops). I
> will have 0 control over their systems, for now. Probably mostly
> Windows 9x/NT 4.0 . What is the best way to get these folks in with out
> compromising too much if anything. And also not spending a fortune. My
> network is an office environment NAT through a Linux box running Trex,
> through a T1 but I can change that if I need to. I think the easiest way is
> to toss in a damn modem bank and make them dial in, my on little ISP so to
> speak.
>
> Thanks,
> Michael DeSimone
>
> - -
- Re: Firewalls-Digest V8 #910 Geoff Gates
- William . Stackpole
