[lug] Input needed

Dan Ferris Dan at Ferrises.Com
Wed Oct 1 18:16:41 MDT 2003


What about the Watchguard line of products?

I've also used Sonicwall, but always had the feeling I was using cheap 
junk even though the box worked fine.

Nate is righ, you can never go wrong with Cisco (Nate, we seem to follow 
each other on mailing lists).

*Generic plug for OpenExchange here*

For our VPN we require users to install Zone Alarm Pro and Anti-Virus.
 
Nate Duehr wrote:

>On Wed, Oct 01, 2003 at 06:49:06PM -0400, Hugh Brown wrote:
>  
>
>>On Wed, 2003-10-01 at 18:17, jhswope wrote:
>>    
>>
>>>I have the opportunity to create a system for an engineering office of
>>>30-45 people.  I am seeking suggestions for hardware (VPN, Firewall).
>>>And a Linux alternative to MS Exchange Web Access.  Any suggestions for
>>>VPN and mail server software would be appreciated as well.
>>>      
>>>
>>In a company that size I have seen a PIX firewall (has vpn and firewall
>>capabilities).  For web mail, I have seen both squirrelmail and
>>Horde/IMP used.  Mail server is your favorite MTA (sendmail, postfix,
>>qmail, exim are popular).  Both web mail programs are just IMAP clients,
>>so you would need to run an IMAP server as well.
>>    
>>
>
>Agreed on all of the above.   While it's always a contentious issue as
>to who's products to use for these things, those are the typical "best
>of breed" applications I've seen at a number of organizations.
>
>PIX works well as long as it has enough CPU horsepower to keep up with 
>the number of users simultaneously VPN'ed in.  If you outgrow the PIX
>doing the VPN, you can always buy one of their hardware concentrators.
>Cisco also makes VPN clients for Windows, Mac, and Linux for them, and
>they generally work pretty well.
>
>Consider also that any machine that is put on a VPN is part of the
>internal network to the point that you should require that users run the
>company standard Anti-virus tool(s) on any machine that connects.  Budget
>for that.  You may also want to require employees to own a NAT
>router/firewall and/or run a host-based firewall on home boxes that are
>going to be used on the VPN.  We all know to do this here, but it's
>surprisingly rare to find home PC users with them if they only have a
>single PC and broadband... that PC is usually plugged right into the
>broadband router/bridge and has a public IP address.  A little budgeted
>time (i.e. "must take this security class that the admin is giving once
>a week before you can use VPN access to the office") to train people on
>the issues means they'll learn a little about it and be more watchful 
>of doing things that are super-dangerous for your company and your data
>-- a litle education goes a long way. 
>
>Whatever "nasties" your users pick up at home can be passed directly to
>the internal network on the VPN connection later... just something to
>keep in mind when building a VPN.  It's probably worth setting some
>policies for the user machines or only allowing laptops you
>administer/know what's on them to be used for VPN access.
>
>Firewall-1 has clients for Windows that allow client PC firewall
>administration changes to be done remotely by the admin at the office.
>
>And Netscreen makes decent hardware-based boxes if you want to provide a
>hardware VPN solution at the remote side.
>
>Squirrelmail is good with a few modules added on.
>
>Hadn't heard of/used SuSE's OpenExchange.  That sounds neat.  May have
>to check that one out.
>
>Finally -- consider carefully where the VPN router is located in the
>network and what resources users are allowed to connect to from it.  If
>there's no need to have home users hit anything other than webmail and a
>few fileshares, by all means... firewall off the rest of it.  Or ask
>people to ssh/VNC/whatever through another machine internally to get
>further access... don't just plug in the VPN router and have it make the
>home PC a fully-connected member of a large internal LAN.  Many places
>do this and wouldn't be able to "take the convenience away" today - but
>it's probably not a good "best practices" setup anymore.
>
>Balancing usability and security is even more "fun" when you mix in
>people's home machines.  :-)
>
>  
>




More information about the LUG mailing list