Home page logo
/

nanog logo nanog mailing list archives

RE: VPN Solution (WAS: ORBS (Re: Scanning))
From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Mon, 28 May 2001 01:49:24 -0400


With the MS PPTP client, there is an option to not use the default gateway
on the remote network.  By default this is on, so all your traffic goes
through the VPN.  Turn it off and only traffic destined for the remote
network goes over the VPN.

I would bet that there are similar options for other clients.

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.



-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Patrick W. Gilmore
Sent: Monday, May 28, 2001 1:25 AM
To: nanog () nanog org
Subject: VPN Solution (WAS: ORBS (Re: Scanning))



At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:

Roaming staff usually needs some form of VPN access, anyway, and even if
they don't, this is a great use for one.  Put a VPN client on the roamer's
computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable
clients
available), then use the VPN to get back to the mail relay.  If the mail
relay is behind the VPN tunnel termination point at the server end, then
it should only accept mail for relay from valid VPN clients.  As such,
you solve the roaming staff problem without an open relay.  VPN boxes
like Ravlin and Nokia Crypto Cluster are cheap enough today that I would
consider it a valid cost of doing business if you don't have a better
solution.

I have an "operational" question.  (SURPRISE! :)

VPN solutions are getting inexpensive.  However, they are sometimes far
from optimal.

The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every*
packet from the end user machine to the VPN end-point, not just selected
packets (like with SSH tunneling).

This can cause extremely poor performance for some roaming users.  For
instance, someone in Sydney with a home office in New York trying to get to
a Sydney web server suddenly has to make two round trips to New York, just
to cross town.  Considering trans-pacific fiber congestion and other
problems, this can make the VPN nearly unusable.

Of course, you could tell the user to turn off the VPN, but you try to
explain to a typical end user when he should and should not have the VPN
turned on, or that he cannot send mail while browsing the web, or things
like that.


So, does anyone know of a VPN that does selective forwarding like SSH
tunneling?


Owen

TTFN,
patrick




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]