Re: automated site to site vpn recommendations

[Rich Testani <rich () tehorange com>]

For several of our clients, we use Sophos UTMs coupled with their RED
units.  Once registered with the UTM, the RED unit auto creates an SSL
based VPN back to the UTM.  The RED unit is managed from the UTM and pulls
it's config when it boots. It's similar to the function of Meraki without
the direct cloud management portion, though the config profile does get
pushed to a section of Sophos' cloud.

-Rich

On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <paul () nashnetworks ca> wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
>         paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin () gmail com> wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer () biplane com au> wrote:
> >
> > > On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > > > In some cases...
> > >
> > > The words "in some cases" are a problem with any supposedly plug and
> > > play solution.
> > >
> > > > We really could use a simple solution that you
> > > > just flip on, it calls home, and works...
> > >
> > > ...but still requiring someone to enter credentials of some sort,
> > > right? Otherwise you have a device wandering about that provides look
> > > -mum-no-hands access to your corporate network.
> > >
> > > MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> > > for a wireless dongle or storage, and has a highly-scriptable operating
> > > system. Not a bad platform.
> > >
> > > Regards, K.
> > >
> > > --
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > Karl Auer (kauer () biplane com au)
> > > http://www.biplane.com.au/kauer
> > > http://twitter.com/kauer389
> > >
> > > GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> > > Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4