Comment Re:IPsec (Score 2) 189
Just supporting IPSec doesn't necessarily mean your job as an administrator will be easy. IPSec is only a definition of the encrypted tunnel protocols, and does not define the process of exchanging public keys, validating the computer on the other end with a certificate authority, negotiating what type of encryption algorithm to use, or many other menial configuration tasks. It is possible to set up an IPSec tunnel by hand, but I hope you enjoy typing in lengthy configuration files and copying around encryption keys by hand. If you want the keys to rollover, you'll have to redo portions of this process every time you want that to happen too.
To automate all this, you need a key exchange protocol like IKE which can handle all of these tasks for you. I personally work for a VPN company that implemented and released IPsec software/hardware before IKE had become a standard, and so we have our own protocols for establishing the Security Association for the IPSec tunnel. Our setup protocol is pretty darn good (IMHO), but it's not an open standard, so it only works between our own products. IKE is a feature likely to be added to a future release of our products.
In general regards to the big question, I think an IPSec client that supports IKE is the way to go, since both are now open standards (mostly in the range RFC2401 through RFC2409). There are already open source projects on the BSDs and Linux to support IPSec/IKE, and most VPN vendors are also moving towards it. (Check FreeS/WAN for Linux and isakmpd for BSD)
From my highly biased standpoint, I think my company's product is pretty good and we have a nice client for WinXX if you're willing to work with your key server being on an NT machine. The server can work from behind a firewall with only a few UDP ports forwarded, which is also nice.
The opinions expressed in this email don't imply or assert anything about those of my employer in any way shape or form, either for or against anything I said. Everything in this post is entirely my own opinion and beliefs.
To automate all this, you need a key exchange protocol like IKE which can handle all of these tasks for you. I personally work for a VPN company that implemented and released IPsec software/hardware before IKE had become a standard, and so we have our own protocols for establishing the Security Association for the IPSec tunnel. Our setup protocol is pretty darn good (IMHO), but it's not an open standard, so it only works between our own products. IKE is a feature likely to be added to a future release of our products.
In general regards to the big question, I think an IPSec client that supports IKE is the way to go, since both are now open standards (mostly in the range RFC2401 through RFC2409). There are already open source projects on the BSDs and Linux to support IPSec/IKE, and most VPN vendors are also moving towards it. (Check FreeS/WAN for Linux and isakmpd for BSD)
From my highly biased standpoint, I think my company's product is pretty good and we have a nice client for WinXX if you're willing to work with your key server being on an NT machine. The server can work from behind a firewall with only a few UDP ports forwarded, which is also nice.
The opinions expressed in this email don't imply or assert anything about those of my employer in any way shape or form, either for or against anything I said. Everything in this post is entirely my own opinion and beliefs.
