Re: Campus VPN Services

[Mark Poepping <poepping () CMU EDU>]

Sorry if I missed it somewhere along the way, but is anybody willing to
share a link to their high-level requirements and cost-benefit analysis for
investing in an enterprise vpn (projected benefits weighed against round
numbers for costs in HW, SW, scaling issues, and support)?
thanks.
mark.

--
Mark Poepping
Computing Services
Carnegie Mellon

> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Iglesias
> Sent: Wednesday, August 20, 2003 8:20 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Campus VPN Services
>
> > We're planning to complete our study, but at present a solution based
> > on a mainstram (let's call it brand 'C') VPN concentrator looks
> > appealing, for the following reasons, among others:
>
> We are using brand 'C', and require everyone to use the brand 'C' clients.
> We support clients for Windows, Mac OS X, and Linux.  That takes care
> of almost all the users that need to use it.  We've had a few requests
> for a client for Mac OS 9, but that's $120 per client so most people
> say forget it.
>
> We have people using it for bypassing the NetBIOS blocks at the campus
> border router, and to access off-campus resources that limit access
> to campus IP addresses.  Our concentrator can handle up to 5000
> concurrent sessions, but so far it hasn't gone above about 130.
>
> We've had it in place since early November.  We have two configurations
> setup, one that routes only the traffic headed for campus to the VPN
> and one that routes all traffic thru the VPN - the latter is used
> primarily for accessing the off-campus resources mentioned above.
> It's pretty easy to include the prebuilt configuration files with
> the brand 'C' clients, so our users just have to install the software
> packages that we built with the config files and they're ready to go.
>
> > - Our expectation is that by remaining with a mainstream VPN, its
> > clientware will tend to remain more predictably current with OS
> > releases, offer comparable pre-deployment configuration options, and
> > high general supportability, compatibility.
>
> We've had a few client issues, mostly with Mac OS X.  Things were kind
> of rough around the edges when we first started using it, but it has
> gotten better with each release.
>
> One issue we've had is ISPs blocking the IKE/IPSec ports, and then
> the client fails trying to connect to the concentrator.  We've been
> able to get around this in almost all cases by using IPSec over TCP.
> There have been a few times where even that didn't work, but then
> things start working again a week or so later.  We've only seen this with
> Cox, around the time they decided to block all smtp traffic except to
> their servers.
>
>
> Mike Iglesias                          Email:
> iglesias () draco acs uci edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.