March 29th, 2004, 01:27 AM
I'm planning on implementing a VPN and I wanted to get some feedback about the benefits of using a security appliance such as the Cisco VPN Concentrator versus a linux server for an end to end encryption scheme. What have you used in the past, and how scalable was it?
Thanks for your feedback,
March 29th, 2004, 04:06 PM
I haven't used the cisco vpn equipment but have used the nortel CES equipment in the past. If the cisco is as scalable as the nortel you shouldn't have expansion issues with either, its just a matter of dollars and preference. In the market now there are more than just cisco and nortel vpn equipment available. Regardless of your preferences...
Determine your application (point to point vpn between locations, main site with remote access destop clients, amount of connections, cost per connection, etc.). Research the available equipment from a number of providers these days and use a matrix to determine which is best to support your app. In short if you have the funds I'd prefer a hardware solution with desktop clients from a known provider than a server based solution - then again i have more experience in hardware than software based vpn's.
March 30th, 2004, 01:17 AM
We are using a Cisco 3030 and are very happy with it. Some of the things I like about it is that is is very scalable, You can brand and preconfigure the software client, you can connect both software and hardware clients to the same concentrator, and you can have redundant appliances for better uptime.
I don't think you have to worry about encryption strength as I believe both solutions will be OK in that area.
I don't have a lot of experience with the Linux solution but I know that I do like the Cisco route.
If you have any other questions please let me know.
Work... Some days it's just not worth chewing through the restraints...
March 30th, 2004, 04:37 AM
re: VPN devices
I've not used anything other than Cisco personally. Within that, I've only used routers and PIX firewalls- no Concentrators. But i've run the gamut of PIXes (515's, 520's, 525's) and routers (everthing from a 2500 series to a 7500 series). I also run Client VPNs from my 525-pair head-ends.
I use AES-256 unless the device doens't have enough memory to support a newer IOS image. In the latter case i use 3DES. I normally use SHA for the hashing.
Since I've never used a Concetrator from Cisco, I can only speak to PIXes and routers. I tend to prefer working with the PIXes, but I would agree w/ most people and say the routers are a little less tempremental and easier to work with on the remote nodes.
All of the Cisco solutions are extremely scalable imho.
I've only run Linux VPNs in a lab setting, so I wouldn't feel comfortable giving advice out re: that avenue.
All in all, it really comes down to what you want, what you want to pay, and how much work you're willing to throw at your VPN solution. How conversant are you with Cisco? How conversant with Linux? How much time do you have to prototype your solution and implement? How much $$$ is budgeted? Lastly, who is responsible for maintenance (and ask them the 'conversant' questions).
I would never write one is better than the other...but I'm sure one solution will fit your needs more adequately than another.
Hope that helps...
Ego is the great Logic killer
March 30th, 2004, 01:36 PM
If you buy a Cisco Concentrator and something happens you'll be able to get support.
If you build your own (using linux et al) and something happens, you're on your own.....
Just something to take into account.
Experience is something you don't get until just after you need it.