Home page logo
/

nanog logo nanog mailing list archives

Re: VPN Solution (WAS: ORBS (Re: Scanning))
From: "Alexei Roudnev" <alex () relcom EU net>
Date: Mon, 28 May 2001 00:36:23 -0700


VPS is toop complex and it's necessary only if you use your corporate services.

On the other hand, it's not big p[roblem to allow relaying for the roamers keeping
it close for the spammers (and mainly for ORBS).

(1) Allow relaying for the message with yopur roaming From: . It's not best
solution but it cut 99% of the spammers (including ORBS which behave like
spammer).

(2) Connect your POP/IMAP with your relay so to allow SMCP relaying from IP
addrerss which was registered in POP/IMAP for last 3 hours.

And so on.

An idea to use VPN for the common roaming is the crazy one; and what for you
propose to use cryptography? To prevent mail sniffering? Who treat you with it?
And if you need secure mail, use PGP or something like it.

VPM is a good thing - for access to the corporate network, through 50% of it's
configurations don't provide enougph security (using multy-time passwords for PPTP
just mean _you have not security_ no matter if you use PAP, CHAP or something more
complex - you can think _why_ but it's reality).


----- Original Message -----
From: "Patrick W. Gilmore" <patrick () ianai net>
To: <nanog () nanog org>
Sent: Sunday, May 27, 2001 10:24 PM
Subject: VPN Solution (WAS: ORBS (Re: Scanning))



At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:

 >Roaming staff usually needs some form of VPN access, anyway, and even if
 >they don't, this is a great use for one.  Put a VPN client on the roamer's
 >computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients
 >available), then use the VPN to get back to the mail relay.  If the mail
 >relay is behind the VPN tunnel termination point at the server end, then
 >it should only accept mail for relay from valid VPN clients.  As such,
 >you solve the roaming staff problem without an open relay.  VPN boxes
 >like Ravlin and Nokia Crypto Cluster are cheap enough today that I would
 >consider it a valid cost of doing business if you don't have a better
 >solution.

I have an "operational" question.  (SURPRISE! :)

VPN solutions are getting inexpensive.  However, they are sometimes far
from optimal.

The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every*
packet from the end user machine to the VPN end-point, not just selected
packets (like with SSH tunneling).

This can cause extremely poor performance for some roaming users.  For
instance, someone in Sydney with a home office in New York trying to get to
a Sydney web server suddenly has to make two round trips to New York, just
to cross town.  Considering trans-pacific fiber congestion and other
problems, this can make the VPN nearly unusable.

Of course, you could tell the user to turn off the VPN, but you try to
explain to a typical end user when he should and should not have the VPN
turned on, or that he cannot send mail while browsing the web, or things
like that.


So, does anyone know of a VPN that does selective forwarding like SSH
tunneling?


 >Owen

TTFN,
patrick






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault