On Thu, Oct 09, 2003 at 09:13:04AM -0400, Philippe Hanset wrote: > a few differences: > > -bandwidth rate limiting (per user, per port), can your VPN do that?
A Linux or *BSD based VPN system could do that, if configured properly. OpenBSD is probably the best bet. > -enable MAC address authentication for devices > that do not have a VPN client (WIFI phones,...) more are coming these > days. We do that currently with our FreeBSD-based firewall solution. > -How do you distribute the VPN client before > they can join the VPN concentrator? > Gateways (like BlueSocket etc..) have web pages for that. Our current system is in two parts. There's the FreeBSD-based firewall with our own software, and then there's the VPN device. We could also provide VPN services on the firewall. Anyway, we make the VPN clients available from a web page. There's a hole poked in the firewall that allows VPN pass-through and we *could* also poke such a hole to allow access to the VPN client webpage. We have not had any requests for that yet, however. > -Simple Management of Access-Points (optional) We have about 15 brands of AP on campus (probably more), so finding any common tool for managing them is a major problem. Our situation is that individual departments purchase and manage their own APs. This is good, for two reasons. First, the departments have enough autonomy that we cannot really dicate brands to them anyway. Second, there is not enough central funding to purchase APs for all of campus. > - Patch-Level verification for Swiss-Cheese OSes before devices can join > the network Currently handled on the department level, but we're looking at running an nmap scan or other quick check before allowing logon. Another option is to watch for suspicious flows. We believe that we can do this at the firewall, and throttle the culprit. Needs more research. > -Do you force all your subnets to go to the VPN? > Most gateways have a Master-Slave architecture that > facilitates deployments. A slave on every subnet > a redundant master for the whole campus. It helps > bandwidth tremendousely. Even with 40K+ devices on campus, our central VPN server has not even broken a sweat. Bandwidth has not been an issue either, but we have good upstream infrastructure. > -What do you do for small remote places on T-1s and DSL? > (some vendors have small-form factors Slaves) Those will, once again, use the VPN solution. Right now the VPN connections are per-client, but we have considered putting in gateway devices (a PC connected to the VPN and operating as a router for small subnets). We've looked at the Soekris boxes with the VPN cards as a possible platform (www.soekris.com). A lot depends on how much roll-your-own you want to do. So far, we've found (despite a hefty installed base) that the workload is not quite enough to justify the cost of a commercial solution. Our bailing-wire and sticky-tape tools have held up very nicely. -- Christopher R. Hertel -)----- University of Minnesota [EMAIL PROTECTED] Networking and Telecommunications Services "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.