Firewall Wizards mailing list archives
Re: VPN and firewalls
From: tbird () imhotep cerner com
Date: Mon, 09 Feb 98 15:15:10 -0600
Hi Rik -- I have been the team leader responsible for the selection and implementation of a VPN package for my company, Cerner Corporation. Cerner is a mid-size company (about 2300 employees) which produces computer systems and software for the healthcare industry. Our internal network supports 2000+ Win95 and WinNT desktop systems, over 100 NT servers providing file and printer sharing and some applications, and 50 or so back-end machines (VMS, AIX and a few others). I began evaluating VPN products in April 1996, and we're finally (now) at the point of releasing the package for general use. My answers to your questions have evolved over time and should probably not be considered valid for more than a few months... Cerner's requirements for a VPN solution included three vital pieces. Due to the company's dependence on Microsoft products, the VPN must be able to encapsulate all TCP/UDP/ICMP (?) protocols over a single persistent port -- to compensate for the MS propensity for random port assignments for their network functions. Cerner utilizes application proxy firewalls (Sidewinders, to be precise) and the VPN encapsulation was required to get a few custom applications through the firewall. Second, the VPN must be able to support server-to-server tunnels (f'rinstance, using FW-to-FW encryption) as well as client-to-server traffic (for all those remote employees). Finally, the product must support a variety of external authentication and auditing systems (to integrate with the other components of our remote access technology). Our Sidewinder firewalls have included IPSec encryption of traffic since the time we implemented them -- however, it's been "crippled" traffic until the latest release. Up until v3.2 of the Sidewinder software, the IPSec encryption worked on a service-by-service basis -- you opt to encrypt one particular port's traffic to a destination -- which didn't match our requirements for encapsulation of all protocols. In addition, at the time we began our evaluation, the PC client for the tunneling was, uh, to put it politely, not ready for prime time. (I have recently received a new secure client for the Sidewinder-based VPN, but haven't had time to give it a test drive.) We were more interested in evaluating stand-alone systems than those dependent on a particular firewall because they gave us more flexibility. We knew that eventually we would be using the VPN system to provide client support to our clients over the Internet, as well as potentially using the technology to provide (and control) access to our corporate network for consultants and other non-employees. It seemed unlikely that we would be able to convince all of our clients to install Sidewinders so that we could use the built-in VPN -- esp. since the stand-alone systems are much less expensive than full-blown firewalls. We briefly considered products like PPTP, but discarded them because of their lack of support for external authentication, their (as of a year ago) use of weak encryption, and their difficulty in traversing the application proxy firewall. (Okay, I confess -- I looked at PPTP with my pretty major anti-Microsoft chip on my shoulder -- but MS didn't give me any reason to change my mind.) We finally decided on VTCP/Secure, from InfoExpress (disclaimer: I work with a couple of organizations that are resellers for InfoExpress, but at this point in time I get no financial benefit from recommending them). It's very very easy to use; offers a variety of encryption strengths and security options, for tailoring to a wide range of security requirements; it requires minimal alterations to your corporate network; and the technical expertise provided by InfoExpress is first rate. The only functionality lacking in VTCP/Secure was the ability to operate in a server-to-server mode, but we were able to cover that need using our second choice, the Alta Vista Tunnel from Alta Vista/Digital. Our second choice, the Alta Vista Tunnel, was also relatively easy to manage. But it works by creating a "pseudo-network adapter" on the client machine -- and those of you who have played around with multiple network adapters on Win95 know that that's not a trivial issue. I've found the AV tunnel to be a little cryptic when it breaks -- and somewhat unpredictable in terms of how it will react to different network hiccups -- which is why it wasn't our first choice for at least the client-to-server requirement. However, I should emphasize that Cerner has a very large and, uh, dynamic network environment, which stresses connectivity products in unusual ways. I have worked with many IS managers who find the Alta Vista product to be very useful. Config issues: Yes, we plug it straight through the firewall. Cerner's security policy for the internal network is pretty open, so we've managed to create the same sort of unlimited access for tunnel users that they'd enjoy if physically connected. I have set up tunnel access for consultants which limits them to specific hosts -- easy enough to do, and one of the reasons I like working with VTCP/Secure. Sorry for the length. I'm preparing my SANS short course on this topic and it's making me just a little long-winded. Cheers -- Tina Bird ------- Forwarded Message Date: Fri, 6 Feb 1998 09:45:31 -0700 (MST) From: Rik Farrow <rik () spirit com> Subject: VPN and firewalls I am curious about why people are choosing VPN solutions which are independent of firewalls, for example, Aventail or TimeStep. Do people poke these streams through their firewalls? Is it a matter of performance? Why pay extra for VPN capability which is already included in many firewalls? What products are preferred and why? I am looking for answers from people who have tried both methods: using the VPN as standalone product or bundled with their firewall. Regards, Rik ------- End of Forwarded Message
Current thread:
- VPN and firewalls Rik Farrow (Feb 07)
- Re: VPN and firewalls Paul D. Robertson (Feb 09)
- Re: VPN and firewalls Stuart Moore (Feb 09)
- Re: VPN and firewalls Rick Smith (Feb 09)
- Re: VPN and firewalls Steve Goldhaber (Feb 09)
- <Possible follow-ups>
- Re: VPN and firewalls Linwood Ferguson (Feb 09)
- Re: VPN and firewalls Aleph One (Feb 09)
- Re: VPN and firewalls tbird (Feb 09)