atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Point to Point VPN

I really like the ASA5505. I like it better then the 5510 and 5520.

Can anyone recommend a book that explains VPN in a nutshell?

I picked up a lot from "Networking for Dummies" and I bought it at Border's Books. Not bad reading and it will enlighten you on a lot of what you need to know. I wouldn't count on it for everything though.

Think of each VPN tunnel as an unsecured port on a switch located in a building where you are not in control of access. Maybe you wouldn't want them all on at the same time?

We use RDC a lot and VPNs to a lesser extent but they're only on when in use and the security is as tight as is reasonable.

The best way to learn this stuff is to do it, but a lot of the time the purpose-built equipment is prohibitively expensive. Fortunately, the linux world has come up with a lot of creative solutions and most of them are free for non-commercial use. I would suggest rounding up a pair of old PCs (any Pentium with 64MB of RAM and a 1GB HD will suffice), loading them up with a pair of NICs each, burning a CD of the Smoothwall installation and getting some hands-on experience.

Don't read the manuals, just hook up a kb, mouse & monitor and boot off the install CD. Once the box is set up, you won't need any of 'em (you can even yank the CD-ROM). Once it's running, you can configure it via web browser and set up your VPNs and all that good stuff. If you have dynamic IPs, you can configure it to automatically log in to services like DynDNS for easy access. I've recycled dozens of PCs for friends to use as a robust broadband firewalls with lots of features you don't normally get off the store shelf. Plus they can be tossed in just about any closet and forgotten about - just remember to turn off KB errors in the BIOS and they'll run for years unattended. My parents have one that's over a half-dozen years old and still doing the job.

Or read a book. =)

I think it's a BIG mistake to install a firewall and then "just forget it". Especially in a production environment. This is not a static environment. Every firewall release, left unattended, is a WASTING ASSET because it is immediately subject to hostile probing and odds-on to be compromised unless frequently updated to keep up with new attacks. You may be one of the lucky ones to avoid the attention of hackers/crackers, but in a business environment, can you afford to take the risk?
This is one of the reasons "purpose-built equipment is prohibitevely expensive". This is also why, imo, when it comes to security, proprietary, closed products, get my vote, as long as they're accompanied by commensurate warranties on the part of the vendor(s) (It amazes me how few so-called security "professionals" look at the warranties and the support the vendors provide, and discuss in advance what happens if the vendor's system is compromised).
To add to the VPN issue:
MacOSX, before you go splurging on tunnel licenses, estimate the maximum number of concurrent VPN connections you will need - that's the proper metric. If you need only 1 or 2, there is no need for a site-to-site VPN, since in such case you can establish a (software) client-to-server VPN as needed.
If you need something more robust, easy to use, and proven in the field, the Cisco boxes mentioned above are a good option. Although I think the small-business products by Sonicwall are better suited to smaller offices. But currently, for simplicity and ease-of-use, I'd go with Sofaware . Their small business offerings are very competitive, and they also sell a home version, which I've been using for the past few months.
The annual subscriptions for security are currently the cheapest among comparative products. The prices for gateway antivirus, antispam and filtering are also right up there.
Ofcourse, security is a very competitive field and vendors keep leapfrogging each other, both in technology and support. Next year, one of the other players may be on top in the small office market. My loyalties are very fickle.

Thanks for all this information so far, keep it coming!

Now, just to give you an exact idea of what I want to have done...

I install and service Toshiba phone systems, and they can be connected to a network, for administration. I have had more problems than not recently with customer getting these Voip PRI's and I can't maintain a good connection over dial-up... even for a quick change. I want to take advantage of the network capabilities of the systems, to remedy this growing problem.

BUT

I do not want to ask every customer to have their IT guy to have to set me up with VPN (not their problem/security issues/etc.).

My goal is to find a plug-n-play device that I can install ahead of the customers firewall, plug into the NIC on the CIX and connect to it from any high-speed internet connection with my laptop... mainly at the office.


What hardware software combinations do you suggest for this?

BTW, I'm sure there are many answers, so please let everyone speak before bashing their ideas. I'm open to every/anything at this point, t better serve my customers.

Right now I am experimenting with Hamachi, Remote Desktop, RealVNC, and Dynamic DNS to access my Windows 2003 Server from, well, anywhere...

Tony,
There is not an "easy" way to do what your describing. The easiest solution that I can think of for what you want would be to find out what ports the Toshiba uses for admin communications and have the IT folks forward the needed ports to the system.

Most larger companies with an actual IT guy shouldn't have much of a problem doing it since they can also normally limit access to just your office IP address. Any of the smaller companies running cheapo firewall/gateways can probably live with you installing a new gateway with the configuration to suit your needs.

If you had a dedicated computer on each site for programming, it would be a whole different story. A program called "teamviewer" will allow remote access to a computer from virtually anywhere with normally no changes needed on the firewall.

i think you misunderstood the entire point of what i was saying, sph. at no time did i suggest using freebie firewall software in a production environment; i was merely proposing a low-cost way of learning how these devices work.

oh, and ALL computer equipment is considered a wasting asset - your CPA can explain the term for you if you're confused.

Fair enough, I'm sorry if I misunderstood. I used the term "wasting asset" to signify security-related depreciation, not the financial one.

Other than that, I think ipofficeguy's suggestions cover what MacOSX was asking for.