[190358] in North American Network Operators' Group
Re: automated site to site vpn recommendations
daemon@ATHENA.MIT.EDU (Paul Nash)
Wed Jun 29 08:55:46 2016
X-Original-To: nanog@nanog.org
From: Paul Nash <paul@nashnetworks.ca>
Date: Wed, 29 Jun 2016 08:55:40 -0400
To: Untitled 3 <nanog@nanog.org>
In-Reply-To: <CAJk2XQcLH=57as+beEjOi784WtnB9XquQ5hVdbWEZVX74s1Oig@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_BA0A7EBF-4E20-4D4A-A22F-3D1742713659
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
My biggest issue with Meraki is that their tech staff can run tcpdump on =
the wired or wireless interface of your Meraki box without having to =
leave their desk. I have no reason to believe that they are malicious, =
or in the pay of the NSA, but I am too paranoid to allow their equipment =
anywhere near me.
Yes, they work well and the cloud control panel makes remote support a =
breeze; you have to decide how you feel about the insecurity.
paul
> On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
>=20
> I would second Meraki for the situation you describe. I don't feel =
that
> they are the most capable platform, they're expensive, and don't =
always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on =
performance,
> and are by far the simplest platform to offer a field person. They're =
also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
>=20
> =46rom a security standpoint, they will offer features that will =
impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote =
VPN
> tunnel control), and we've found they punch above their weight and =
their
> APs perform fantastically.
>=20
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you =
can
> define your security policies, and don't need crazy throughput on your =
VPN,
> Meraki is the way to go. Be careful though: they have to be =
continually
> licensed to work and can get pretty expensive if you go for the higher =
end
> gear. Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
>=20
> Dan
>=20
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
>=20
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>>=20
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>>=20
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>>=20
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>>=20
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, =
USB
>> for a wireless dongle or storage, and has a highly-scriptable =
operating
>> system. Not a bad platform.
>>=20
>> Regards, K.
>>=20
>> --
>> =
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Karl Auer (kauer@biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>>=20
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>>=20
>>=20
>>=20
>>=20
--Apple-Mail=_BA0A7EBF-4E20-4D4A-A22F-3D1742713659
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIEMDCCBCww
ggMUoAMCAQICAQEwCwYJKoZIhvcNAQEFMIGBMRIwEAYDVQQDDAlQYXVsIE5hc2gxGjAYBgNVBAoM
EU5hc2ggTmV0d29ya3MgSW5jMQswCQYDVQQIDAJPTjELMAkGA1UEBhMCQ0ExEDAOBgNVBAcMB1Rv
cm9udG8xIzAhBgkqhkiG9w0BCQEWFHBhdWxAbmFzaG5ldHdvcmtzLmNhMB4XDTA5MDgwMzE4MjQy
OVoXDTE5MDgwMTE4MjQyOVowgYExEjAQBgNVBAMMCVBhdWwgTmFzaDEaMBgGA1UECgwRTmFzaCBO
ZXR3b3JrcyBJbmMxCzAJBgNVBAgMAk9OMQswCQYDVQQGEwJDQTEQMA4GA1UEBwwHVG9yb250bzEj
MCEGCSqGSIb3DQEJARYUcGF1bEBuYXNobmV0d29ya3MuY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC1gK5tbdh9Q8sXcbIp4j5JXR/BNQiqcvP0LLk5VlKJnRWJw18s+iRgp7I95rl3
J4YQKxpdcYp2TnlA6hxZUw8Dc5zoJtCvFAYpAKHy3kxZ5aWxW0uSMKftR5NqSPtzYUSc4SRLwWLG
ksuTcBpiZvNbLrb0SC2P63NfirMV3h5CZCARaPltEGEqVg/CWNMCLO2YcOUz3WSEPDyG4S0+VXiI
RS6VS/QfL3wYIOBx/26pyTUQpi2Q+51IEIqtKBO4ydQ6DF+av6CH25R4BtGdWLIHzINjv8XP0o7b
njrCd+R0nfDWC+fsvv73YP14w29g7gLHxC1V9fVtMg2Uq3f4x54TAgMBAAGjga4wgaswDwYDVR0T
AQH/BAUwAwEBADAPBgNVHQ8BAf8EBQMDB7WAMGYGA1UdJQEB/wRcMFoGCCsGAQUFBwMEBggrBgEF
BQcDAwYJKoZIhvdjZAQCBgkqhkiG92NkBAMGCiqGSIb3Y2QDAgIGCiqGSIb3Y2QDAgMGBysGAQUC
AwQGBysGAQUCAwUGBFUdJQAwHwYDVR0RBBgwFoEUcGF1bEBuYXNobmV0d29ya3MuY2EwDQYJKoZI
hvcNAQEFBQADggEBAIPZk/tvRXWohO/r26FqMarR/SvVLsY/ob9PEOQ/FUHnxEsDdRdnZUMKImGK
pq7qBKcxCPACQcJUUoH1ITB8esqtCa9YE6uXuuYsfmcCGS0TQHULA/lQehDcKG0hMhlW+pB0CUji
fvVoRAyAxpt6aeFHzWQn3XntqCqdxnl2x+o6CmDZxDqHRTjmAg6sRKDeTYaD3y5XppJeNPakHDxh
sIEBOGx3UoeKmeryMrWdgLJFSSHyFB06lr01a3Ij0cydjb+OloMF1NJZoXa5Y1fGgVsxsZ1Wbv/t
Je3ezpi9BVF2YA5QdPd/0RuCvzOzM5he0/G7SBzDQws/qbKanW3HgbwxggNIMIIDRAIBATCBhzCB
gTESMBAGA1UEAwwJUGF1bCBOYXNoMRowGAYDVQQKDBFOYXNoIE5ldHdvcmtzIEluYzELMAkGA1UE
CAwCT04xCzAJBgNVBAYTAkNBMRAwDgYDVQQHDAdUb3JvbnRvMSMwIQYJKoZIhvcNAQkBFhRwYXVs
QG5hc2huZXR3b3Jrcy5jYQIBATAJBgUrDgMCGgUAoIIBlTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA2MjkxMjU1NDFaMCMGCSqGSIb3DQEJBDEWBBR6RS08+ifl
TKv7nl2bQmZPUTnGzTCBmAYJKwYBBAGCNxAEMYGKMIGHMIGBMRIwEAYDVQQDDAlQYXVsIE5hc2gx
GjAYBgNVBAoMEU5hc2ggTmV0d29ya3MgSW5jMQswCQYDVQQIDAJPTjELMAkGA1UEBhMCQ0ExEDAO
BgNVBAcMB1Rvcm9udG8xIzAhBgkqhkiG9w0BCQEWFHBhdWxAbmFzaG5ldHdvcmtzLmNhAgEBMIGa
BgsqhkiG9w0BCRACCzGBiqCBhzCBgTESMBAGA1UEAwwJUGF1bCBOYXNoMRowGAYDVQQKDBFOYXNo
IE5ldHdvcmtzIEluYzELMAkGA1UECAwCT04xCzAJBgNVBAYTAkNBMRAwDgYDVQQHDAdUb3JvbnRv
MSMwIQYJKoZIhvcNAQkBFhRwYXVsQG5hc2huZXR3b3Jrcy5jYQIBATANBgkqhkiG9w0BAQEFAASC
AQBcM+FkueEJsUI0b1xrgy7XuiUKsLo5qRO4WAfZ6C1eiyIFse/XKj8FnLAhuxxDIU4eIm5YgOu8
Brc6JSSFi1WeQh0e4caw5vjbCLP2aVY70vR+4/5AaTewZG7+lAOYUac/Q7iyyXr+kEqzxnW8Srg3
GXB0uFwJG8Q08FW/E6MdBWZs81LY8nJW4LN2ATTOD9ug24FqliAQTpOC+g/9xvzczJ+Q4nZK6uqV
UNTKM+qMnkUxH0T1az8blmYt92WpvGjE+oHnkbdf4INmsnxGym1AX/f7OjvvRug/G/xi6nq7+y3w
kVhX0gMJNw/GwTaMszF0MCAxgpzWIehLzR1CUC2OAAAAAAAA
--Apple-Mail=_BA0A7EBF-4E20-4D4A-A22F-3D1742713659--
