[lug] Input needed

Nate Duehr nate at natetech.com
Wed Oct 1 17:18:09 MDT 2003 

On Wed, Oct 01, 2003 at 06:49:06PM -0400, Hugh Brown wrote:
> On Wed, 2003-10-01 at 18:17, jhswope wrote:
> > I have the opportunity to create a system for an engineering office of
> > 30-45 people.  I am seeking suggestions for hardware (VPN, Firewall).
> > And a Linux alternative to MS Exchange Web Access.  Any suggestions for
> > VPN and mail server software would be appreciated as well.
> 
> In a company that size I have seen a PIX firewall (has vpn and firewall
> capabilities).  For web mail, I have seen both squirrelmail and
> Horde/IMP used.  Mail server is your favorite MTA (sendmail, postfix,
> qmail, exim are popular).  Both web mail programs are just IMAP clients,
> so you would need to run an IMAP server as well.

Agreed on all of the above.   While it's always a contentious issue as
to who's products to use for these things, those are the typical "best
of breed" applications I've seen at a number of organizations.

PIX works well as long as it has enough CPU horsepower to keep up with 
the number of users simultaneously VPN'ed in.  If you outgrow the PIX
doing the VPN, you can always buy one of their hardware concentrators.
Cisco also makes VPN clients for Windows, Mac, and Linux for them, and
they generally work pretty well.

Consider also that any machine that is put on a VPN is part of the
internal network to the point that you should require that users run the
company standard Anti-virus tool(s) on any machine that connects.  Budget
for that.  You may also want to require employees to own a NAT
router/firewall and/or run a host-based firewall on home boxes that are
going to be used on the VPN.  We all know to do this here, but it's
surprisingly rare to find home PC users with them if they only have a
single PC and broadband... that PC is usually plugged right into the
broadband router/bridge and has a public IP address.  A little budgeted
time (i.e. "must take this security class that the admin is giving once
a week before you can use VPN access to the office") to train people on
the issues means they'll learn a little about it and be more watchful 
of doing things that are super-dangerous for your company and your data
-- a litle education goes a long way. 

Whatever "nasties" your users pick up at home can be passed directly to
the internal network on the VPN connection later... just something to
keep in mind when building a VPN.  It's probably worth setting some
policies for the user machines or only allowing laptops you
administer/know what's on them to be used for VPN access.

Firewall-1 has clients for Windows that allow client PC firewall
administration changes to be done remotely by the admin at the office.

And Netscreen makes decent hardware-based boxes if you want to provide a
hardware VPN solution at the remote side.

Squirrelmail is good with a few modules added on.

Hadn't heard of/used SuSE's OpenExchange.  That sounds neat.  May have
to check that one out.

Finally -- consider carefully where the VPN router is located in the
network and what resources users are allowed to connect to from it.  If
there's no need to have home users hit anything other than webmail and a
few fileshares, by all means... firewall off the rest of it.  Or ask
people to ssh/VNC/whatever through another machine internally to get
further access... don't just plug in the VPN router and have it make the
home PC a fully-connected member of a large internal LAN.  Many places
do this and wouldn't be able to "take the convenience away" today - but
it's probably not a good "best practices" setup anymore.

Balancing usability and security is even more "fun" when you mix in
people's home machines.  :-)

-- 
Nate Duehr <nate at natetech.com>

More information about the LUG mailing list