Re: Recommendations for VPN end point appliances?
The thing that really worries me is: A VPN box that is doing things incorrectly will appear to work just like a VPN box that is doing things correctly. Unless you actually try and crack it, you'll never know that it, say, is using the same session key over and over again. I would have to say that I would not trust LinkSys to get a protocol suite as complex as IPsec right. It may be that all you're getting is a false sense of security. This is very true, I had a friend that used a linksys VPN box. Good thing he does very strict security audits once a month. Sniffing the VPN packets resulted in him findind out that even with the linksys box saying that the VPN link was secure, it was not encrypted at ALL. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Tue, 15 Jun 2004, at 9:38am, [EMAIL PROTECTED] wrote: > These will be the last Linksys VPN boxes I buy ... based on my experience > trying to configure them. Yah, like I said, LinkSys is pretty horrible for VPN stuff. The thing that really worries me is: A VPN box that is doing things incorrectly will appear to work just like a VPN box that is doing things correctly. Unless you actually try and crack it, you'll never know that it, say, is using the same session key over and over again. I would have to say that I would not trust LinkSys to get a protocol suite as complex as IPsec right. It may be that all you're getting is a false sense of security. > They may have solved some of their stability problems with the latest > firmware ... The stability problems do not appear to manifest nearly as often if you only have a couple of users. Put 15 or 20 active users on the network, though, and they start crashing on a depressingly regular basis. Where I work, we recommend against LinkSys for VPN stuff, but some people ignore our warnings and buy them anyway, because they are cheap. Everybody who has done that has regretted it. This is definitely a case of getting what you pay for. On 15 Jun 2004, at 11:14am, [EMAIL PROTECTED] wrote: > Well, just to voice the other side, we've had a BEFSR81 at the house ... Totally different product, with a totally different implementation. The BEFSR81 actually has more capable firewall settings then the BEFSX41! (The BEFSX41 is limited to a total of four firewall rules.) Also, totally different usage. You're just using it as a simple NAT box. You're not using it as a VPN endpoint. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
- Original Message - From: "Bruce Dawson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 15, 2004 11:14 AM Subject: Re: Recommendations for VPN end point appliances? On Tue, 2004-06-15 at 09:38, Hewitt Tech wrote: > These will be the last Linksys VPN boxes I buy based on my experience trying > to configure them. It took me a couple of hours just to get the two boxes to > talk to each other. They have remained connected for 24 hours or so but the > setup was very painful. Worse, they don't speak the same VPN protocols that > Windows expects and configuring a Windows system to talk to them is even > more convoluted. None of the documentation you need to set these end points > up comes with them so you need to find the setup info on Google or at the > Linksys web site. They may have solved some of their stability problems with > the latest firmware but it looks like these products have been out there for > more than a year. The Windows <-> BEFSX41 connection setup runs to 19 pages! Well, just to voice the other side, we've had a BEFSR81 at the house acting as the exterior firewall, and we've had absolutely no problems with it (other than having to upgrade the firmware). We have had far more problems with the Comcast Motorola Cybersurfer modem (which has since been replaced by an RCA). Carole is able to punch her tunnel through it to HP without any problems. And IMHO, the setup was a breeze. Are you having problems with just the IPSec features of the box? --Bruce I have used a number of other Linksys products including the BEFSR81. Except for minor anomalies, they work reasonably well. It's the IPsec settings on the VPN end point models that are a pain to configure. -Alex ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Tue, 2004-06-15 at 09:38, Hewitt Tech wrote: > These will be the last Linksys VPN boxes I buy based on my experience trying > to configure them. It took me a couple of hours just to get the two boxes to > talk to each other. They have remained connected for 24 hours or so but the > setup was very painful. Worse, they don't speak the same VPN protocols that > Windows expects and configuring a Windows system to talk to them is even > more convoluted. None of the documentation you need to set these end points > up comes with them so you need to find the setup info on Google or at the > Linksys web site. They may have solved some of their stability problems with > the latest firmware but it looks like these products have been out there for > more than a year. The Windows <-> BEFSX41 connection setup runs to 19 pages! Well, just to voice the other side, we've had a BEFSR81 at the house acting as the exterior firewall, and we've had absolutely no problems with it (other than having to upgrade the firmware). We have had far more problems with the Comcast Motorola Cybersurfer modem (which has since been replaced by an RCA). Carole is able to punch her tunnel through it to HP without any problems. And IMHO, the setup was a breeze. Are you having problems with just the IPSec features of the box? --Bruce signature.asc Description: This is a digitally signed message part
Re: Recommendations for VPN end point appliances?
- Original Message - From: <[EMAIL PROTECTED]> To: "Greater NH Linux User Group" <[EMAIL PROTECTED]> Sent: Sunday, June 13, 2004 1:14 PM Subject: Re: Recommendations for VPN end point appliances? > On Fri, 11 Jun 2004, at 10:51pm, [EMAIL PROTECTED] wrote: > > ... does anyone have any recommendations for VPN end point appliances. > > Of all the appliances I've used, my favorite is NetScreen. Outstanding > features and performance at a competitive price. Gotta love that SSH CLI. > > SonicWall is okay. They used to require a subscribe just to use > certificates, but I believe that has changed. > > I've had someone recommend SnapGear to me; it is apparently a Linux-based > appliance. Haven't had a chance to actually look into it, though. > > For maximum flexibility, there is always the possibility of an SBC running > Linux out of flash. > > > I ordered a pair of BEFSX41 LinkSys routers ... > > My experience with LinkSys VPN boxes is that they are flakey and have an > abysmal feature set. They tend to need to be rebooted on a regular basis. > No support for public key crypto (come on', shared secrets went out in the > 1980s). Their firewall/filtering settings are a joke. > > I frequently recommend LinkSys NAT boxes for SOHO use, but IMO, they just > don't cut it for VPN use. > These will be the last Linksys VPN boxes I buy based on my experience trying to configure them. It took me a couple of hours just to get the two boxes to talk to each other. They have remained connected for 24 hours or so but the setup was very painful. Worse, they don't speak the same VPN protocols that Windows expects and configuring a Windows system to talk to them is even more convoluted. None of the documentation you need to set these end points up comes with them so you need to find the setup info on Google or at the Linksys web site. They may have solved some of their stability problems with the latest firmware but it looks like these products have been out there for more than a year. The Windows <-> BEFSX41 connection setup runs to 19 pages! -Alex > -- > Ben Scott <[EMAIL PROTECTED]> > | The opinions expressed in this message are those of the author and do | > | not represent the views or policy of any other person or organization. | > | All information is provided without warranty of any kind. | > > ___ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss > ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Mon, 14 Jun 2004, at 10:13am, [EMAIL PROTECTED] wrote: > Public-key crypto in SNMP would probably be unweildy, especially since > SNMP is supposed to have a light footprint to make it easy to put into > small embedded systems. That's not the point I was making. > A lot of customers just want to flip the power on in these things and have > things work Convenience is generally inversely proportional to security. > Besides, in my experience, SNMPv3 is merely a "checkoff item" in the > vast majority of deals. I find *most* things fall into that category. When was the last time you saw anyone use more then 10% of the features in MS-Word? MS-Excel? > I haven't seen much else that approaches SNMP's usefulness. I also never said SNMP was not useful. Just that it does not concern itself much with security. (One could make the argument that security is the job of the network layer (i.e., IPsec). Consider it made.) :-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
Chris <[EMAIL PROTECTED]> writes: > [EMAIL PROTECTED] wrote: >> >> On Sun, 13 Jun 2004, at 9:40pm, [EMAIL PROTECTED] wrote: >> >> ... shared secrets went out in the 1980s ... >> > >> > Maybe, but SNMP V3 still uses it.. >> >> That's hardly an endorsement. SNMP's approach to security issues has >> generally been to ignore them. (SNMP = Security? Not my problem!) The >> fact that SNMPv3 has any security at all is a huge advance. Now you want it >> to be modern, too? Public-key crypto in SNMP would probably be unweildy, especially since SNMP is supposed to have a light footprint to make it easy to put into small embedded systems. A lot of customers just want to flip the power on in these things and have things work Besides, in my experience, SNMPv3 is merely a "checkoff item" in the vast majority of deals. I've seen many shops insist on SNMPv3 support and after they've bought the gear never even try to deploy it. > Yep, I totally agree, also SNMP is anything but simple, and why no-one > has come out with something a lot more user friendly, I don't know, > However, it keeps me employed, so I shouldn't complain too much. :) SNMP isn't very simple anymore. OTOH, SNMP is flexible, powerful, and extensible. I haven't seen much else that approaches SNMP's usefulness. Regards, --kevin -- "Well, who says that I have to adhere to what the MIB says?" -- Bob, after I confronted him about his MIB implementation. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Mon, 14 Jun 2004, at 9:32am, [EMAIL PROTECTED] wrote: > He dropped one line that really annoyed me. He stated that Windows Server > 2003 performed a new authentication protocol that would break most Samba > network share setups. It's not new. There has long been a feature in NT that supports "signing" of Server Message Blocks. Samba doesn't support it. You could also set a system to require signing. With Win2K3, that is on by default. You can make it optional again with a registry tweak. You also need to do this if you have Win9X/ME boxes in your network. Ho-hum. > I may be miss-remembering this because he was also describing the new > Windows XP SP2 release which he described as "a total re-write". Yah, they totally rewrote the "1" to a "2". ;-) -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
- Original Message - From: "Chris" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, June 13, 2004 10:07 PM Subject: Re: Recommendations for VPN end point appliances? > > > [EMAIL PROTECTED] wrote: > > > > On Sun, 13 Jun 2004, at 9:40pm, [EMAIL PROTECTED] wrote: > > >> ... shared secrets went out in the 1980s ... > > > > > > Maybe, but SNMP V3 still uses it.. > > > > That's hardly an endorsement. SNMP's approach to security issues has > > generally been to ignore them. (SNMP = Security? Not my problem!) The > > fact that SNMPv3 has any security at all is a huge advance. Now you want it > > to be modern, too? > > > > Yep, I totally agree, also SNMP is anything but simple, and why no-one > has come out with something a lot more user friendly, I don't know, > However, it keeps me employed, so I shouldn't complain too much. :) > ___ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss > As usual, the technical discussion and recommendations have been really useful. This has to be GNHLUG's value to it's members (aside from the commaraderie and kidding ;^)). Unfortunately for me, most of my clients are Windows centric but I'm always looking for opportunities to have them diversify into Open Source. Whenever they have security problems (which is very common), I point out to them that if they had a less homogenous environment they would have less exposure to these exploits. Also, you don't necessarily need a Windows server to host Windows applications. Some of my customers can't avoid it because their software vendors will only provide support if they use Windows products but still Open Source solutions can be quite cost effective under the right circumstances. -Alex P.S. I just attended a Microsoft Security seminar (an all day affair) where the presenter concentrated almost entirely on Windows 2003 server as the core solution to all security problems. He dropped one line that really annoyed me. He stated that Windows Server 2003 performed a new authentication protocol that would break most Samba network share setups. I may be miss-remembering this because he was also describing the new Windows XP SP2 release which he described as "a total re-write". ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
[EMAIL PROTECTED] wrote: > > On Sun, 13 Jun 2004, at 9:40pm, [EMAIL PROTECTED] wrote: > >> ... shared secrets went out in the 1980s ... > > > > Maybe, but SNMP V3 still uses it.. > > That's hardly an endorsement. SNMP's approach to security issues has > generally been to ignore them. (SNMP = Security? Not my problem!) The > fact that SNMPv3 has any security at all is a huge advance. Now you want it > to be modern, too? > Yep, I totally agree, also SNMP is anything but simple, and why no-one has come out with something a lot more user friendly, I don't know, However, it keeps me employed, so I shouldn't complain too much. :) ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Sun, 13 Jun 2004, at 9:40pm, [EMAIL PROTECTED] wrote: >> ... shared secrets went out in the 1980s ... > > Maybe, but SNMP V3 still uses it.. That's hardly an endorsement. SNMP's approach to security issues has generally been to ignore them. (SNMP = Security? Not my problem!) The fact that SNMPv3 has any security at all is a huge advance. Now you want it to be modern, too? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
[EMAIL PROTECTED] wrote: > > On Fri, 11 Jun 2004, at 10:51pm, [EMAIL PROTECTED] wrote: > > ... does anyone have any recommendations for VPN end point appliances. > > My experience with LinkSys VPN boxes is that they are flakey and have an > abysmal feature set. They tend to need to be rebooted on a regular basis. > No support for public key crypto (come on', shared secrets went out in the > 1980s). Maybe, but SNMP V3 still uses it.. > > I frequently recommend LinkSys NAT boxes for SOHO use, but IMO, they just > don't cut it for VPN use. > ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On 13 Jun 2004, at 1:32pm, [EMAIL PROTECTED] wrote: >> I've had someone recommend SnapGear to me ... > > If you're speaking of the ClearPath SNAP box... No, I'm speaking of SnapGear. http://www.snapgear.com Hmmm... they appear to have been bought by CyberGuard. Since I don't really know anything about either company, the net change in my practical knowledge is zero. :-) Their products exist as something you can buy and touch, as one of our customers got them as part of a larger package from another vendor. They appeared to work. The advertised prices were very attractive. That's as much as I know. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Sun, 2004-06-13 at 13:14, [EMAIL PROTECTED] wrote: > I've had someone recommend SnapGear to me; it is apparently a Linux-based > appliance. Haven't had a chance to actually look into it, though. > If you're speaking of the ClearPath SNAP box... It *is* linux-based, but not really shipping yet. I have a demo unit sitting here next to me. Basically mini-itx system board, 256MB compact flash for boot, and 3 on-board Ethernets. The rest is all linux... -- Brian <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Fri, 11 Jun 2004, at 10:51pm, [EMAIL PROTECTED] wrote: > ... does anyone have any recommendations for VPN end point appliances. Of all the appliances I've used, my favorite is NetScreen. Outstanding features and performance at a competitive price. Gotta love that SSH CLI. SonicWall is okay. They used to require a subscribe just to use certificates, but I believe that has changed. I've had someone recommend SnapGear to me; it is apparently a Linux-based appliance. Haven't had a chance to actually look into it, though. For maximum flexibility, there is always the possibility of an SBC running Linux out of flash. > I ordered a pair of BEFSX41 LinkSys routers ... My experience with LinkSys VPN boxes is that they are flakey and have an abysmal feature set. They tend to need to be rebooted on a regular basis. No support for public key crypto (come on', shared secrets went out in the 1980s). Their firewall/filtering settings are a joke. I frequently recommend LinkSys NAT boxes for SOHO use, but IMO, they just don't cut it for VPN use. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
Boston User Groups purchased a Sonic Wall router and they are very happy with it. BTW: there is a dealer in Waltham, who is very good, Dennis Maher at CPU Sales. The BLU bought some memory and SCSI drives for a new server a few years ago, and Dennis' partner delivered it to the BLU BarBQ complete with a case of beer. My group at Compaq in Marlborough also used CPU sales for stuff they had to get outside. On Sat, 12 Jun 2004 07:45:37 -0400 "Hewitt Tech" <[EMAIL PROTECTED]> wrote: > SonicWall certainly has plenty to choose from. I've never heard > anything bad about their products now that I think about it. > > -Alex > > - Original Message - > From: "Brian" <[EMAIL PROTECTED]> > To: "Hewitt Tech" <[EMAIL PROTECTED]>; "Greater NH Linux User > Group"<[EMAIL PROTECTED]> > Sent: Saturday, June 12, 2004 6:52 AM > Subject: Re: Recommendations for VPN end point appliances? > > > > On Fri, 2004-06-11 at 22:51, Hewitt Tech wrote: > > > I need them for a client that wants to > > > have secure access to their office from a remote worker's home > > > office. > Any > > > suggestions? > > > > SonicWall and Fortinet have both worked well for us. > > > > > > ___ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss > -- Jerry Feldman <[EMAIL PROTECTED]> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 pgpuj0sdtCd4H.pgp Description: PGP signature
Re: Recommendations for VPN end point appliances?
I'm using linux boxes running FreeS/WAN myself. Had quite good luck with it... -- "... one of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs." -- Robert Firth Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
SonicWall certainly has plenty to choose from. I've never heard anything bad about their products now that I think about it. -Alex - Original Message - From: "Brian" <[EMAIL PROTECTED]> To: "Hewitt Tech" <[EMAIL PROTECTED]>; "Greater NH Linux User Group" <[EMAIL PROTECTED]> Sent: Saturday, June 12, 2004 6:52 AM Subject: Re: Recommendations for VPN end point appliances? > On Fri, 2004-06-11 at 22:51, Hewitt Tech wrote: > > I need them for a client that wants to > > have secure access to their office from a remote worker's home office. Any > > suggestions? > > SonicWall and Fortinet have both worked well for us. > > ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Recommendations for VPN end point appliances?
On Fri, 2004-06-11 at 22:51, Hewitt Tech wrote: > I need them for a client that wants to > have secure access to their office from a remote worker's home office. Any > suggestions? SonicWall and Fortinet have both worked well for us. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss