[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
automated site to site vpn recommendations
- Subject: automated site to site vpn recommendations
- From: paul at nashnetworks.ca (Paul Nash)
- Date: Wed, 29 Jun 2016 08:55:40 -0400
- In-reply-to: <CAJk2XQcLH=57as+beEjOi784WtnB9XquQ5hVdbWEZVX74s1Oig@mail.gmail.com>
- References: <[email protected]> <[email protected]> <CAJk2XQcLH=57as+beEjOi784WtnB9XquQ5hVdbWEZVX74s1Oig@mail.gmail.com>
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.
Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.
paul
> On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin at gmail.com> wrote:
>
> I would second Meraki for the situation you describe. I don't feel that
> they are the most capable platform, they're expensive, and don't always
> present you with all the information you'd need for troubleshooting.
> However, the VPN offers great dynamic tunneling, instant-on performance,
> and are by far the simplest platform to offer a field person. They're also
> tenacious - I've had them connect to the cloud management platform and
> build a VPN under some trying circumstances.
>
> From a security standpoint, they will offer features that will impress for
> the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> tunnel control), and we've found they punch above their weight and their
> APs perform fantastically.
>
> We deploy them worldwide many times per year in similar use cases,
> sometimes with 150 users on the LAN. If your routing is simple, you can
> define your security policies, and don't need crazy throughput on your VPN,
> Meraki is the way to go. Be careful though: they have to be continually
> licensed to work and can get pretty expensive if you go for the higher end
> gear. Thus far, we've been able to stick to the cheaper stuff and
> accomplish our goals.
>
> Dan
>
> (end)
> On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer at biplane.com.au> wrote:
>
>> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
>>> In some cases...
>>
>> The words "in some cases" are a problem with any supposedly plug and
>> play solution.
>>
>>> We really could use a simple solution that you
>>> just flip on, it calls home, and works...
>>
>> ...but still requiring someone to enter credentials of some sort,
>> right? Otherwise you have a device wandering about that provides look
>> -mum-no-hands access to your corporate network.
>>
>> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
>> for a wireless dongle or storage, and has a highly-scriptable operating
>> system. Not a bad platform.
>>
>> Regards, K.
>>
>> --
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Karl Auer (kauer at biplane.com.au)
>> http://www.biplane.com.au/kauer
>> http://twitter.com/kauer389
>>
>> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
>> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
>>
>>
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1974 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160629/3804f273/attachment.bin>