Educause Security Discussion mailing list archives
Re: Cisco VPN concentrator Replacement Recommendation Needed
From: "Julian Y. Koh" <kohster () NORTHWESTERN EDU>
Date: Mon, 24 Mar 2008 10:36:28 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 10:58 -0400 3/24/2008, schilling wrote:
Would you kindly share your thoughts on the VPN solutions?
We still have 2 Cisco 3000's deployed, servicing PPTP, L2TP/IPsec, and IPsec (Cisco VPN Client) connections. Eventually these will probably get transitioned to ASA boxes, but PPTP is a sticking point since the ASAs don't support PPTP. I know, it's a deprecated protocol, but there are other factors involved, including (but not limited to): 1.) The Mac OS X L2TP/IPSec client has a bug whereby if you connect to a VPN3000 through NAT, the connection drops after ~45 minutes. Cisco and Apple have been unwilling to fix this for the past 2+ years. It is still unclear as to whether this problem exists on the ASAs. Again, Cisco and Apple can't seem to supply us with an answer. 2.) Finding a common set of IPSec and IKE parameters that work with L2TP/IPSec on Windows XP, Mac OS X, and Windows Vista is problematic, since Vista apparently defaults to using different hash protocols than earlier versions of Windows and Mac OS X. So we've still got a very sizable proportion of our population still using PPTP - all the Mac OS X users and all the Vista users who can't or won't use the Cisco VPN client. Now, as far as SSL VPN is concerned, we did an eval of Juniper (nee Netscreen, nee Neoteris), Cisco, and Aventail back in the fall of 2006. Juniper won the evaluation, and we deployed it starting in January 2007. It's been great. We also have iPlanet LDAP, and doing the role mapping via LDAP attributes is awesome. It is possible to do similar things with Cisco, especially with the newer revisions of their WebVPN product, but it was a lot more complex, and the Juniper still leads in other areas. You can get yourself into interesting situations when a user ends up getting mapped to multiple roles, but there are workarounds. We're pitching our SSL VPN not as a replacement for the traditional VPN service, but an enhancement for system administrators, users of sensitive data, vendors, consultants, and external collaborators. Basically the main differentiating factor is that we can assign custom IP addresses to different roles, so this allows firewall rules and access control lists to be much more granular. We're also using split tunneling with SSL VPN, so only the traffic that needs to get tunnelled is sent over the tunnel. With our traditional VPN service, everyone gets given IPs from a single large pool, and all traffic is tunneled. Official web pages are at <http://www.it.northwestern.edu/oncampus/vpn/sslvpn/>. Let me know if you have any additional questions or concerns. -----BEGIN PGP SIGNATURE----- Version: 9.7.0.1012 wj8DBQFH58p5DlQHnMkeAWMRAiOPAKCwTQkN0Uzz+buWmUoXE+q2nZSkjQCgicrH NyNWWjOqJtYpzRhSSCYC7N4= =c9m0 -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohster () northwestern edu> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
Current thread:
- Cisco VPN concentrator Replacement Recommendation Needed schilling (Mar 24)
- <Possible follow-ups>
- Re: Cisco VPN concentrator Replacement Recommendation Needed Consolvo, Corbett D (Mar 24)
- Re: Cisco VPN concentrator Replacement Recommendation Needed Julian Y. Koh (Mar 24)
- Re: Cisco VPN concentrator Replacement Recommendation Needed Jenkins, Matthew (Mar 24)
- Re: Cisco VPN concentrator Replacement Recommendation Needed Avdagic, Indir (Mar 24)
- Re: Cisco VPN concentrator Replacement Recommendation Needed Brock, Anthony - NET (Mar 24)
- Re: Cisco VPN concentrator Replacement Recommendation Needed Russ Leathe (Mar 24)
- Re: Cisco VPN concentrator Replacement Recommendation Needed schilling (Mar 24)