 mtroupMarty
Premium Member
join:2007-06-28
Hermitage, AR |
mtroup
Premium Member
2009-Oct-21 9:48 pm
[Tech Ops] VPN Options for Secure Access to Network ComponentsWell.. since we seem to have some people who think VPN is the only way a network should be accessible.. maybe a few of you can list some options for us that aren't using it currently. I have explored it a time or two and think it's a better way for security but right now I just limit access via firewalls and such.
I'd love to implement a VPN solution but haven't found too many exclusive guides.. maybe in this thread you can list the best hardware appliances and average cost for them as well as some open source solutions. |
|
| |
Re: [Tech Ops] VPN Options for Secure Access to Network Componeni use ppp or ptp vpn. windows and linux both have built in clients, mikrotik has built in client & server, it is easy to set up and no longer considered insecure or broken with latest implementations (may have had issues with nt4 or something)
openvpn is SSL based vpn and has some advantages ... can't remember what they are other than it is open source and free. but you need to install client software on your endpoints. mikrotik has incomplete (but working?) support for openvpn. don't know how they can manage to have incomplete support for an open source client, server, and protocol. something about udp...
ipsec is regarded as the most secure but can be a bitch to set up. i think it takes 36 steps to set up a windows PC for IPSEC client. There are software clients you can buy ( 'the greenbow' is one i know of) |
|
| |
to mtroup
As I mentioned in the other thread I am hooked on the ASA series from Cisco. If you are not familiar with Cisco CLI you may have a little harder time configuring it at first but the Cisco has an ASDM which lets you do a lot of stuff via gui. However I've found that I still need to do a few things in CLI that I don't know how to do in the GUI but your experience may differ. You can pick up an ASA5505 with UL users license for about $600 and then you can do SSL Clientless VPN or simply use the portal that can be accessed via https or install the cisco VPN client on your machine and use it semi-permanently. What I have done is put an ASA5510 at the office and then grabbed an asa5505 for home and use it on my network so my computer at home becomes a link to my network via ipsec. A tad expensive I suppose but very nice to have around. |
|
 Rhaas
Premium Member
join:2005-12-19
Bernie, MO |
to mtroup
I've been thinking about using a couple of rb750's as pptp access servers. PPtP setup under mikrotik: » gregsowell.com/?p=680 |
|
| |
to mtroup
I have a winxp box with the dude running on it behind a nat firewall. I just rdp / remote desktop into it and then can access the internals of the network through its second network card. Much easier when i am away and need to get access because i dont need to setup a vpn or its client - just use mstsc which is avaliable on all windows pc's above xp or via remote web for 2k/98 pc's. |
|
| |
What happens if that box goes down? |
|
| |
"What happens if that box goes down?" Throw laptop at truck, kick tower, fix foot , fix box then go shopping for new laptop. Shopping makes me feel good.  Frank |
|
 kewlkeedGrouch
Premium Member
join:2005-02-05
Knowlton, QC |
to mtroup
What happens if the box goes down??? What happens if the radios go down, or the servers? Same result... Life sucks... Truck roll. For me it depends. If it's for a simple access to something, I use PPTP only because it has a native windows client. For the real tunnels I use L2TP with IPSec (Which yes can be a royal bitch to get the hang of, but not bad once you do). I've avoided OpenVPN only because it seems to be even MORE of a bitch to set up than IPSec. MT is great for setting up tunnels, for business clients that want a transparent L2 tunnel between two locations on our grid, that's where two RB-450G boards, and EoIP/L2TP/IPSec comes into play. By the end of it it's nothing more than a glorified Ethernet cable. |
|
| |
to mtroup
We have a MT box for the core router with VPN turned on and also a Cacti unit installed on an Linux machine with a public IP. I can access the Cacti with my Iphone and access the VPN if necessary. |
|
 GNca GeorgeGorillaNET Wireless Broadband
Premium Member
join:2008-07-12
Minden, ON |
to kewlkeed
We use PPtP for most stuff between MikroTiks.
If you want a really slick, totally no brain required OpenVPN implementation try Zeroshell on an Alix. Works great for remote client and site to site.
Only costs a couple of hundred bucks at each end, dead easy to set up, uses compression and it smokes. Very high capacity solution.
George |
|
| |
to mtroup
Mikrotik for the win.
Just set up a private network under the mikrotik. If you are afraid of the mikrotik going down get a 2nd dsl line with a 2nd mikrotik (they are cheap) with access to a web reboot switch.. get a good battery backup and use ping watchdog if you have to.
Then you can VPN into this machine from anywhere and you'll have access to all your private data.
On top of that you can have multiple VPN's inside the network if you choose to secure even further. As long as you can route public IP's inside you are set. |
|
