Guys, thanks for all the responses. Thanks to everyone's feedback, we have a number of options that were not on the original list and that is what I was hoping for. Now it's a matter of comparing cost/learning-curve/support-challenge/compatibility with tools/monitoring, etc... Thanks again.
From: rich@tehorange.com Date: Wed, 29 Jun 2016 09:03:06 -0400 Subject: Re: automated site to site vpn recommendations To: paul@nashnetworks.ca CC: nanog@nanog.org
For several of our clients, we use Sophos UTMs coupled with their RED units. Once registered with the UTM, the RED unit auto creates an SSL based VPN back to the UTM. The RED unit is managed from the UTM and pulls it's config when it boots. It's similar to the function of Meraki without the direct cloud management portion, though the config profile does get pushed to a section of Sophos' cloud.
-Rich
On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <paul@nashnetworks.ca> wrote:
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.
Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.
paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4