First of all I would not use a PM-3 as a VPN gateway to terminate tunnels.
It does not have the throughput nor the number of tunnels to be effective.
And today it doesn't support IKE/ISAKMP which means it won't work with most
clients. It is more usuable for nailed up tunnels site to site. Or for
NAS-side VPN. There the dial client doesn't run any VPN, but the NAS does
encryption. This is a tradeoff - it makes the NAS part of the SA (Security
Association) and if it is a shared resource is an opportunity for risk.
For those who don't know my job is currently that of VPN Engineer with GTEI,
I would never build a VPN this way as I am not comfortable with the security.
I can understand why it would be done, it makes management easier than having
to install VPN clients on all the dialin boxes. But from my perspective I
cannot justify the tradeoff in security.
The real trouble today is that there are a number of VPN gateways and clients
and few of them talk to other brands. Ignoring proprietary solutons and
sticking just with IPSec (which I encourage everyone to do, as the IPSec
market is rapidly improving) you have a number of vendors. TimeStep is a
market leader, first to be certified. But they have issues - some routing
issues site-to-site and currently no working NT IPSec client - Win95/98
only. Lucent has a VPN gateway, Intel/Shiva, Nortel, etc.
Some of the trouble is that companies are certifying their GW, but not the
client. In many cases a vendors client talks only to their GW and no others.
Interoperability is an area rapidly improving but it has a long way to go.
When you get into VPN you get into a messy world. You have to manage the SAs
for all tunnels. If you want high security you'd use digital certificates -
which means setting up a certificate authority and/or working with CA vendors
like Entrust, CyberTrust, etc. It means finding a client that actually works
and getting it installed on all of your dial in machiens that need VPN. It
is a new arena and everyone is rushing products out, most half-baked. AFAIK
no vendor is fully RFC compliant today. To help the ICSA does some
certification on VPN devices, primarily from the POV of the ANX, but it
does help to look for ICSA certification on the product as that ensures a
basic level of functionality and interoperability. (The PM-3 would not
pass right now - IKE is required.)
>Also, my understanding is L2TP doesn't encrypt. Do I need the co-processor
>card to do that or can I use IPSec? If IPsec is required, what end user
>devices support both IPSec and L2TP?
I think you need to reseach some more.
L2TP is just for tunneling. Think of it as PPP over IP. No inherent security.
IPSec is a raft of pieces. Think of the four major pieces as IP tunneling,
crypt authentication (AH), data encryption (ESP), and key management
(IKE/ISAKMP). You do not need L2TP wth IPSec - IPSec handles all the
tunneling itself. The only reason you would need L2TP is if you wanted to
tunnel non-IP protocols over the Internet. In that case you can establish
an L2TP tunnel and then wrap that in an IPSec tunnel for security. (Tunnels
can nest to arbitrary depth.) This is, in fact, what the L2Tp drafts
recommends.
On the PM L2TP does not require any additional HW, nor do basic IP-in-IP
tunnels. However, if you wish to use the crypto security features of
IPSec (AH and ESP) then you need the co-processor card.
>I have a lot of business WAN customers and I'm wondering what I need to
>provide secure dialup access to their corporate networks.
By no means do I wish to frighten you off of this, but I do want you to
realize it is not an easy thing to do well. GTEI has been investing huge
amounts of engineering time and money in this since last year. It rolled
out in January, and we are still having trouble, mainly due to vendors
missing promised dates. Not one of the products we tested, basically all
of them, was without some form of trouble. TimeStep was chosen as the
launch platform because it was the farthest along overall, they just
announced the addition of Nortel as an option - but frankly that won't ship
until Q3 at best. Still needs improvement for us to use. If you think
the feature and performance variations in the NAS/modem market are wild,
you ain't seen nothing yet. VPN devices make me wish for the simple days
of modem interoperability and OSPF. :-)
Oh - and if the customer has people who travel internationally, prepare
to invest in legal services if you are running a tunnel endpoint. If a
crypto tunnel temrinates on your network from outside the US it is a HUGE
can of worms. And the only people it makes happy is the lawyers.
Keep in mind that any ISP can provide IPSec - the corporate customer can
buy their own IPSec GW and clients. The ISP is transparent by design.
It only becomes sticky if you are going to manage it for them - run the
VPN gateway on their LAN. Help install and support the dial clients. Etc.
Of course, it is just those managed services that corporate users are looking
for (it is what GTEI offers).
And if you do the 'outsourced VPN' and one of your boxes is a security
endpoint, then you have all of the issues of supporting crypto. Not to
mention legal risk. What if you are doing 'outsourced VPN' - the client
dials into your NAS unecrypted, is encrypted at the NAS and tunneled to a
VPN GW at the client. And what if the NAS has a bug that leaks the data
before encryption to others? Or what if someone hacks your NAS and can
sniff the traffic there, or intercept it, etc? And the corporation loses
financial data, or medical records, or trade secrets - and sues your ass
of for selling them a secure service that isn't. And I am NOT joking here,
this is very serious. You can bet anyone selling a secure service that
gets violated is going to get raked over the coals - you'd better have a
lowyer review the business plan FIRST, and protect yourself from as much
liability as you can.
But again, from a security perspective, I could never recommend somene
buy an out-sourced VPN like this. For just those reasons. I recommend
end-to-end VPN. Dial client on the dial box, GW at the customer site.
Full encryption from client to GW. The data is never 'open' at any time
it leaves the clients machine until it reaches the GW on the customer LAN.
For an unsecured VPN - ie, just L2TP tunnels (still a form of VPN) - sure.
It is no more or less secure since there is no encryption really. Anyone
who relies on L2TP as a security measure is being foolish, IMHO. It was
not designed for that. L2TP is useful for ISP outsourcing as w've seen,
and the same can be done for corporate clients.
It is useful for anyone who wants/needs to transport non-IP protocols to
a dial in client from their LAN. Anyone with a private IP space. How about
a customer who wants to outsource to you, but provide proxy-filtered content
for kids, or religious reasons, etc. Tunnel their clients back to them
and let them handle the processing. But *secure* VPN is a different matter.
That's IPSec, and when security is a concern, the rules change.
-MZ
-- -=*X I'm going down... under that is! <URL:http://www.aussie-isp.net/> X*=- <URL:mailto:megazone@megazone.org> Gweep, Discordian, Author, Engineer, me.. Join ISP/C Internet Service Providers' Consortium <URL:http://www.ispc.org/> "A little nonsense now and then, is relished by the wisest men" 781-788-0130 <URL:http://www.megazone.org/> <URL:http://www.gweep.net/> Hail Discordia! - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message. Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>