who uses VPN (hardware / software) at work.
lemme know whats up… looking into upgrades.
We don’t but i know they were looking into going with Whitey’s company to get one here.
still tryin to get the $$ out of the big wigs here. We have 5 offices and they should be connected.
i currently use a software VPN within my watchgaurd 1000 firewall… considering cisco or just upgrading the watchgaurd.
Kennametal just moved to Cisco… We previously had Nortel <- sucks. i can get you the name of the guy who set ours up. He used to work here but now works for Cisco.
We didn’t have any issues changing over. We also use the Cisco CSA (security Agent)… it is a little more of a pain… but I think most of that is the guy who is monitoring and changing the access list… doesn’t have a clue what he is doing.
we use Cisco gear here… its the hotness
yeah it claims ACL’s are elementry level… humm… we’ll see what i come up with
My understanding of it… although limited… is there are 2 different ways to set up the CSA…
One… is to have it discover on its own… this is what is recommended by Cisco…
Two… is to maintain the list yourself. This is where our problem lies. Our Security folks are maintaining the list… These guys have no clue what is going on. So much so that they turned the lists over to a group called “Vigilant Minds”. They had no idea what they were doing but they seem to have learned it.
You seem like a smart guy… you could probably figure it out.
Site to Site VPN’s in a hub/spoke setup?
If so just get some pix’s and setup some lan to lan VPN’s, if you have to have remote users as well, grab a cisco 3005 vpn concentrator and pix firewalls at the remote sites.
You can tie in the VPN concentrator authentication to AD via Radius. That way all your users will be using their normal AD account to login. You can also setup a CA server as well if you want two tiered authentication.
PIX 501 - supports up to 3mbs and a maximum of 3 tunnels
PIX 506 - supports up to 16mbs and a maximum of 25 tunnels
More details and I can give you a bit more detail if you like, the only other firewall/VPN device I would suggest is Juniper’s Netscreen, with watchguard coming in 3rd if you need a cheaper alternative.
ACL’s are easy if you know what applications are in use at the site, you can setup an acl to allow any any and log it for a while to see what kind of ports you have coming through.
The only time you really run into problems is if you apply an egress ACL, so those are a bit tougher to setup and man do users squeel when they get pinched.
Dead Bodys In The River Wooo!!!
Pinch those suckers till the scream bloody murder! nazi admin > nazi pope > party poker, bitches :mrT:
good info, as usual.
hub and spoke setup… going to research the pix 506… never used juniper’s netscreen… currently use watchgaurd so it’s a considered upgrade.
sent PM
ironic that I re-read this again today. I forgot about this thread and was going to make a VPN thread of my own… instead I’ll try to hijack this one:
I am not familiar with any type of VPNs… I have never had the opportunity to work with one and must of been asleep or altered mindset during that week in school. So could someone recommend a direction of research for a cheap way to network 5 offices? All of the offices have cable internet, 3 running NT4 servers and 2 running 2000/2003 platforms. I know a few of you gurus will have some advice… :mullet: 
you can get a firewall with lan to lan vpn’s built in… for instance now i use watchgaurd 1000’s and configued the sites to only allow each other lan’s firewalls… then allow a proxy for interweb… on the proxy i heavily deny but totally allow for site to site vpn… so essentially you’re setting up a software vpn through a firewall…
what i was asking is to retain my lan to lan vpn and also allow external vpn use… so you can’t just allow full access from people’s home computers / networks, so you have authentication on a vpn then allow domain access.
you can simply use routers and vpn software to setup… it’s just not as ‘secure’.
do you share information from site to site? or are you wanting to setup so that user a in locaiton a can log onto location b’s domain wtih the same username password?
all in the same domain?
The 5 locations are 5 seperate entities. Origionally it was 3 seperate companies operating as subsidiaries to Widmer Engineering (my company) and within the last year they merged them all to the same name and whatnot. Ideally I’d like all the users to be able to log in from any location as well as share data through out all the offices. In time I’d like it to act as 1 network but getting each office communicating with each other is the only main concern.
Basically if you need to control access of the remote users then you’ll have to go with a hub/spoke setup unless you want to try to manage 5 different sites which can be a total nightmare.
The problem with 5 sites is most cheap/lowend solutions are limited to 3 sites, so you are going ot have to jump up to a concentrator which has a lot more advantages.
Your main site is the one you want to have most of the servers and data at, put a Cisco VPN 3005 at the main site, which you can allow users to connect and put the L2L (Lan to Lan) setup for all the remote sites as well. You can put a PIX 501 at the remote sites if they are all cable modems, if you have more than 50 hosts internally you’ll have to jump up to the PIX 506, the pix 501 comes with a 10 user and 50 user network. You can also move all your exchange across the VPN as well which helps conslidate your network and reduce your admin time and licenses costs which will help pay for your increased network bandwidth.