Educause Security Discussion mailing list archives

Re: Campus VPN Services

From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Thu, 21 Aug 2003 09:55:14 -0700

On Wed, 20 Aug 2003, Mike Iglesias wrote:

We're planning to complete our study, but at present a solution based
on a mainstram (let's call it brand 'C') VPN concentrator looks
appealing, for the following reasons, among others:


We are using brand 'C', and require everyone to use the brand 'C' clients.
We support clients for Windows, Mac OS X, and Linux.  That takes care
of almost all the users that need to use it.  We've had a few requests
for a client for Mac OS 9, but that's $120 per client so most people
say forget it.

We have people using it for bypassing the NetBIOS blocks at the campus
border router, and to access off-campus resources that limit access
to campus IP addresses.  Our concentrator can handle up to 5000
concurrent sessions, but so far it hasn't gone above about 130.

We've had it in place since early November.  We have two configurations
setup, one that routes only the traffic headed for campus to the VPN
and one that routes all traffic thru the VPN - the latter is used
primarily for accessing the off-campus resources mentioned above.
It's pretty easy to include the prebuilt configuration files with
the brand 'C' clients, so our users just have to install the software
packages that we built with the config files and they're ready to go.


We're looking at brand C also, largely following Mike's lead at UCI.  So
far things are working out fairly well (although we've had a few issues
installing the client on ancient windows laptops).  One annoying thing is
that the brand C VPN concentrator doesn't use the same OS as brand C's
other products (like their routers for example).  The CLI on the
concentrator is a bit clunky, too, and the documentation is way below
brand C's usually high standards.

I know that brand C makes VPN modules for their routers, which can be
configured to provide services for the same clients as the concentrator.
Has anyone had experiences with this?  According to our brand C rep, the
performance specs on the router modules is actually higher than that of
the concentrator, but I don't think we'll have many more than a couple
hundred sessions at a time.  Since we have the concentrator working, we
might just stick with that, but it would be nice to be able to configure a
VPN using a more standard brand C OS.


michael

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Campus VPN Services Angel L Cruz (Aug 20)
- <Possible follow-ups>
- Re: Campus VPN Services Gary Dobbins (Aug 20)
- Re: Campus VPN Services Mike Iglesias (Aug 20)
- Re: Campus VPN Services Mark Poepping (Aug 20)
- Re: Campus VPN Services Mike Iglesias (Aug 20)
- Re: Campus VPN Services Mark Poepping (Aug 20)
- Re: Campus VPN Services Michael Sinatra (Aug 21)
- Re: Campus VPN Services Mike Iglesias (Aug 21)
- Re: Campus VPN Services Matthew Keller (Aug 21)
- Re: Campus VPN Services H. Morrow Long (Aug 21)
- Re: Campus VPN Services Mark Poepping (Aug 22)
- Re: Campus VPN Services Mike Iglesias (Aug 22)
- Re: Campus VPN Services H. Morrow Long (Aug 22)
- Re: Campus VPN Services H. Morrow Long (Aug 22)