[190361] in North American Network Operators' Group
RE: automated site to site vpn recommendations
daemon@ATHENA.MIT.EDU (c b)
Wed Jun 29 14:40:12 2016
X-Original-To: nanog@nanog.org
From: c b <bz_siege_01@hotmail.com>
To: Rich Testani <rich@tehorange.com>, Paul Nash <paul@nashnetworks.ca>
Date: Wed, 29 Jun 2016 11:40:06 -0700
In-Reply-To: <CABAgtmS_7TfoqLeZdFgtuSbG-wSkSzeQxs-H3uQZB70VhmYtmQ@mail.gmail.com>
Cc: Untitled 3 <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Guys=2C thanks for all the responses. Thanks to everyone's feedback=2C we h=
ave a number of options that were not on the original list and that is what=
I was hoping for. Now it's a matter of comparing cost/learning-curve/suppo=
rt-challenge/compatibility with tools/monitoring=2C etc...
Thanks again.
> From: rich@tehorange.com
> Date: Wed=2C 29 Jun 2016 09:03:06 -0400
> Subject: Re: automated site to site vpn recommendations
> To: paul@nashnetworks.ca
> CC: nanog@nanog.org
>=20
> For several of our clients=2C we use Sophos UTMs coupled with their RED
> units. Once registered with the UTM=2C the RED unit auto creates an SSL
> based VPN back to the UTM. The RED unit is managed from the UTM and pull=
s
> it's config when it boots. It's similar to the function of Meraki without
> the direct cloud management portion=2C though the config profile does get
> pushed to a section of Sophos' cloud.
>=20
> -Rich
>=20
> On Wed=2C Jun 29=2C 2016 at 8:55 AM=2C Paul Nash <paul@nashnetworks.ca> w=
rote:
>=20
> > My biggest issue with Meraki is that their tech staff can run tcpdump o=
n
> > the wired or wireless interface of your Meraki box without having to le=
ave
> > their desk. I have no reason to believe that they are malicious=2C or =
in the
> > pay of the NSA=2C but I am too paranoid to allow their equipment anywhe=
re
> > near me.
> >
> > Yes=2C they work well and the cloud control panel makes remote support =
a
> > breeze=3B you have to decide how you feel about the insecurity.
> >
> > paul
> >
> > > On Jun 27=2C 2016=2C at 6:28 PM=2C Dan Stralka <mrsyeltzin@gmail.com>=
wrote:
> > >
> > > I would second Meraki for the situation you describe. I don't feel th=
at
> > > they are the most capable platform=2C they're expensive=2C and don't =
always
> > > present you with all the information you'd need for troubleshooting.
> > > However=2C the VPN offers great dynamic tunneling=2C instant-on perfo=
rmance=2C
> > > and are by far the simplest platform to offer a field person. They'r=
e
> > also
> > > tenacious - I've had them connect to the cloud management platform an=
d
> > > build a VPN under some trying circumstances.
> > >
> > > From a security standpoint=2C they will offer features that will impr=
ess
> > for
> > > the price (Sourcefire=2C inability to use if stolen=2C 802.1x=2C and =
remote VPN
> > > tunnel control)=2C and we've found they punch above their weight and =
their
> > > APs perform fantastically.
> > >
> > > We deploy them worldwide many times per year in similar use cases=2C
> > > sometimes with 150 users on the LAN. If your routing is simple=2C you=
can
> > > define your security policies=2C and don't need crazy throughput on y=
our
> > VPN=2C
> > > Meraki is the way to go. Be careful though: they have to be continua=
lly
> > > licensed to work and can get pretty expensive if you go for the highe=
r
> > end
> > > gear. Thus far=2C we've been able to stick to the cheaper stuff and
> > > accomplish our goals.
> > >
> > > Dan
> > >
> > > (end)
> > > On Jun 27=2C 2016 6:01 PM=2C "Karl Auer" <kauer@biplane.com.au> wrote=
:
> > >
> > >> On Mon=2C 2016-06-27 at 13:08 -0700=2C c b wrote:
> > >>> In some cases...
> > >>
> > >> The words "in some cases" are a problem with any supposedly plug and
> > >> play solution.
> > >>
> > >>> We really could use a simple solution that you
> > >>> just flip on=2C it calls home=2C and works...
> > >>
> > >> ...but still requiring someone to enter credentials of some sort=2C
> > >> right? Otherwise you have a device wandering about that provides loo=
k
> > >> -mum-no-hands access to your corporate network.
> > >>
> > >> MikroTik stuff is cheap as chips=2C small=2C comes with wifi=2C ethe=
rnet=2C USB
> > >> for a wireless dongle or storage=2C and has a highly-scriptable oper=
ating
> > >> system. Not a bad platform.
> > >>
> > >> Regards=2C K.
> > >>
> > >> --
> > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~=
~~~
> > >> Karl Auer (kauer@biplane.com.au)
> > >> http://www.biplane.com.au/kauer
> > >> http://twitter.com/kauer389
> > >>
> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> > >>
> > >>
> > >>
> > >>
> >
> >
=
