automated site to site vpn recommendations
Situation: We have salespeople/engineers holding temporary seminars/training/demonstrations in hotel meeting rooms. Requirements: field people need a very plug-n-play, simple, reliable vpn back to corporate offices to present videos/slides/demonstrations. The materials are not accessible via the internet directly, they are in a contained environment at corporate HQ locations but not necessarily on the corp network.the solution should be able to provide wireless to attendees. In some cases, guest login will be fine but in some cases the attendees will have registered and provided login creds prior to the event, and these creds will need to be checked before providing accessthe solution should have the option to split tunnel internet traffic out, but in some cases they need all traffic tunneled and internet will be via our corporate offices (NDA/legal, don't ask, it's just a requirement provided) Nice-to-have: field person should be able to not only access the presentation materials (in their contained network) but also the corporate network. Some early attempts required a user-vpn connection by the field person over the S2S VPN, but it made it clunky to switch back and forth. This isn't mandatory, but it would be nice to provide one solution providing dual-level access: restricted to attendees, less-restricted to field people Tried this in the past with basic router/switch/wireless and captive portals because we had some inventory available... it was workable but not quick or easy. We really could use a simple solution that you just flip on, it calls home, and works... or as close to that as possible. Have been looking at Meraki and a couple other low-touch solutions and they may do the trick, but we are hoping there are lower cost options that people have used successfully? We don't mind dealing with some off brands and even some custom coding (within reason) as long as the end result is a low-touch, reliable solution. Thanks in advance.
We use the Meraki series -- MX @ the main office, and Z1 for the remote, or just 2 Z1 units if it's a small network and they work great. We've even gone so far as to utilize Avaya ip phones over the link so the teleworker's extension works wherever they are. I have to say, compared to a PIX or ASA, etc. they are about the simplest VPN setup you'll ever come across. We've even had cases where the Z1 was behind a fairly restrictive NAT, and it was able to establish a session and work great. Definitely not the cheapest, but if you can get by with just a couple of Z1s the cost isn't too bad. Shawn -----Original Message----- From: "c b" <bz_siege_01@hotmail.com> Sent: Monday, June 27, 2016 4:08pm To: "nanog@nanog.org" <nanog@nanog.org> Subject: automated site to site vpn recommendations Situation: We have salespeople/engineers holding temporary seminars/training/demonstrations in hotel meeting rooms. Requirements: field people need a very plug-n-play, simple, reliable vpn back to corporate offices to present videos/slides/demonstrations. The materials are not accessible via the internet directly, they are in a contained environment at corporate HQ locations but not necessarily on the corp network.the solution should be able to provide wireless to attendees. In some cases, guest login will be fine but in some cases the attendees will have registered and provided login creds prior to the event, and these creds will need to be checked before providing accessthe solution should have the option to split tunnel internet traffic out, but in some cases they need all traffic tunneled and internet will be via our corporate offices (NDA/legal, don't ask, it's just a requirement provided) Nice-to-have: field person should be able to not only access the presentation materials (in their contained network) but also the corporate network. Some early attempts required a user-vpn connection by the field person over the S2S VPN, but it made it clunky to switch back and forth. This isn't mandatory, but it would be nice to provide one solution providing dual-level access: restricted to attendees, less-restricted to field people Tried this in the past with basic router/switch/wireless and captive portals because we had some inventory available... it was workable but not quick or easy. We really could use a simple solution that you just flip on, it calls home, and works... or as close to that as possible. Have been looking at Meraki and a couple other low-touch solutions and they may do the trick, but we are hoping there are lower cost options that people have used successfully? We don't mind dealing with some off brands and even some custom coding (within reason) as long as the end result is a low-touch, reliable solution. Thanks in advance.
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network. MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
From a security standpoint, they will offer features that will impress for
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances. the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically. We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals. Dan (end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
From a security standpoint, they will offer features that will impress for
Another option is Checkpoint Edge devices. We use them worldwide with little to no problems. They're centrally managed and support central logging which is a plus when trying to diagnose issues. They support dynamic IP addresses as well, so just plug it in and you should be good to go. Not the cheapest solution, but for sure they get the job done. Regards, Richard. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Dan Stralka Sent: Monday, June 27, 2016 6:28 PM To: Karl Auer Cc: nanog@nanog.org Subject: Re: automated site to site vpn recommendations I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances. the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically. We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals. Dan (end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Lorenzo did a MUM presentation(https://www.youtube.com/watch?v=VeZetH9uX_Y) on how road warriors can can connect with a Mikrotik to automatically configure VPN. Pretty novel idea using inexpensive hardware. It may not be as user friendly as you need, though. On Tue, Jun 28, 2016 at 11:21 AM, Richard Greasley <greasley@superfund.net> wrote:
Another option is Checkpoint Edge devices. We use them worldwide with little to no problems. They're centrally managed and support central logging which is a plus when trying to diagnose issues. They support dynamic IP addresses as well, so just plug it in and you should be good to go. Not the cheapest solution, but for sure they get the job done.
Regards, Richard.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Dan Stralka Sent: Monday, June 27, 2016 6:28 PM To: Karl Auer Cc: nanog@nanog.org Subject: Re: automated site to site vpn recommendations
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
-- GregSowell.com TheBrothersWISP.com
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me. Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity. paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
For several of our clients, we use Sophos UTMs coupled with their RED units. Once registered with the UTM, the RED unit auto creates an SSL based VPN back to the UTM. The RED unit is managed from the UTM and pulls it's config when it boots. It's similar to the function of Meraki without the direct cloud management portion, though the config profile does get pushed to a section of Sophos' cloud. -Rich On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <paul@nashnetworks.ca> wrote:
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.
Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.
paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Guys, thanks for all the responses. Thanks to everyone's feedback, we have a number of options that were not on the original list and that is what I was hoping for. Now it's a matter of comparing cost/learning-curve/support-challenge/compatibility with tools/monitoring, etc... Thanks again.
From: rich@tehorange.com Date: Wed, 29 Jun 2016 09:03:06 -0400 Subject: Re: automated site to site vpn recommendations To: paul@nashnetworks.ca CC: nanog@nanog.org
For several of our clients, we use Sophos UTMs coupled with their RED units. Once registered with the UTM, the RED unit auto creates an SSL based VPN back to the UTM. The RED unit is managed from the UTM and pulls it's config when it boots. It's similar to the function of Meraki without the direct cloud management portion, though the config profile does get pushed to a section of Sophos' cloud.
-Rich
On Wed, Jun 29, 2016 at 8:55 AM, Paul Nash <paul@nashnetworks.ca> wrote:
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.
Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.
paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
I believe they fixed this -- when I've spoken to tech support recently, I had to give them a tech support key so that they could access the devices I had questions about. -----Original Message----- From: "Paul Nash" <paul@nashnetworks.ca> Sent: Wednesday, June 29, 2016 8:55am To: "Untitled 3" <nanog@nanog.org> Subject: Re: automated site to site vpn recommendations My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me. Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity. paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
My biggest issue with Meraki is the fundamentally flawed business model, biased in favor of vendor lock in and endlessly recurring payments to the equipment vendor rather than the ISP or enterprise end user. You should not have to pay a yearly subscription fee to keep your in-house 802.11(abgn/ac) wifi access points operating. The very idea that the equipment you purchased which worked flawlessly on day one will stop working not because it's broken, or obsolete, but because your *subscription* expired... If you want wifi with a centralized controller there's lots of ways to do it at either L2 (Unifi APs and Unifi controller reachable on the same LAN segment as the Unifis, or with its own management vlan), or with Unifi APs programmed to find a controller by hostname/IP address (L3). On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash <paul@nashnetworks.ca> wrote:
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.
Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.
paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
I treat Meraki like SmartNET. The subscription comes with lifetime support (TAC + Warranty), you do have support on your production network gear don't you? It's not like they trick you going into it either. I for one am a huge fan of the simplicity, it just works. Disclaimer: We use them. ~35 access points all around the world. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Wed, Jun 29, 2016 at 6:33 PM, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
My biggest issue with Meraki is the fundamentally flawed business model, biased in favor of vendor lock in and endlessly recurring payments to the equipment vendor rather than the ISP or enterprise end user.
You should not have to pay a yearly subscription fee to keep your in-house 802.11(abgn/ac) wifi access points operating. The very idea that the equipment you purchased which worked flawlessly on day one will stop working not because it's broken, or obsolete, but because your *subscription* expired...
If you want wifi with a centralized controller there's lots of ways to do it at either L2 (Unifi APs and Unifi controller reachable on the same LAN segment as the Unifis, or with its own management vlan), or with Unifi APs programmed to find a controller by hostname/IP address (L3).
On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash <paul@nashnetworks.ca> wrote:
My biggest issue with Meraki is that their tech staff can run tcpdump on the wired or wireless interface of your Meraki box without having to leave their desk. I have no reason to believe that they are malicious, or in the pay of the NSA, but I am too paranoid to allow their equipment anywhere near me.
Yes, they work well and the cloud control panel makes remote support a breeze; you have to decide how you feel about the insecurity.
paul
On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin@gmail.com> wrote:
I would second Meraki for the situation you describe. I don't feel that they are the most capable platform, they're expensive, and don't always present you with all the information you'd need for troubleshooting. However, the VPN offers great dynamic tunneling, instant-on performance, and are by far the simplest platform to offer a field person. They're also tenacious - I've had them connect to the cloud management platform and build a VPN under some trying circumstances.
From a security standpoint, they will offer features that will impress for the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN tunnel control), and we've found they punch above their weight and their APs perform fantastically.
We deploy them worldwide many times per year in similar use cases, sometimes with 150 users on the LAN. If your routing is simple, you can define your security policies, and don't need crazy throughput on your VPN, Meraki is the way to go. Be careful though: they have to be continually licensed to work and can get pretty expensive if you go for the higher end gear. Thus far, we've been able to stick to the cheaper stuff and accomplish our goals.
Dan
(end) On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
--
> >> Karl Auer (kauer@biplane.com.au) > >> http://www.biplane.com.au/kauer > >> http://twitter.com/kauer389 > >> > >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B > >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4 > >> > >> > >> > >> > >
On 6/29/16 15:33, Eric Kuhnke wrote:
My biggest issue with Meraki is the fundamentally flawed business model, biased in favor of vendor lock in and endlessly recurring payments to the equipment vendor rather than the ISP or enterprise end user.
You should not have to pay a yearly subscription fee to keep your in-house 802.11(abgn/ac) wifi access points operating. The very idea that the equipment you purchased which worked flawlessly on day one will stop working not because it's broken, or obsolete, but because your *subscription* expired...
I'm sure most hardware makers would love to lock in a revenue stream of "keep me working" subscriptions if they could get away with it. From the company's perspective what's not to love about that kind of guaranteed revenue? I often wonder if Microsoft will someday make Office365 the only way to get Office, which if you don't maintain a subscription your locally installed copy of Word will cease to function. ~Seth
On Wed, 2016-06-29 at 16:00 -0700, Seth Mattinen wrote:
I often wonder if Microsoft will someday make Office365 the only way to get Office, which if you don't maintain a subscription your locally installed copy of Word will cease to function.
I live for that day. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389 GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
There is a downside to subscription pricing for the vendor: they don't get the instant cashflow they're used to. I know Cisco seems to be taking a tactic where only some product lines use subscriptions and the others are on a typical enterprise 3-5 year replacements cycle to provide Cisco with the large cash injections upon upgrade. Tim
On 30 Jun 2016, at 7:00 AM, Seth Mattinen <sethm@rollernet.us> wrote:
On 6/29/16 15:33, Eric Kuhnke wrote: My biggest issue with Meraki is the fundamentally flawed business model, biased in favor of vendor lock in and endlessly recurring payments to the equipment vendor rather than the ISP or enterprise end user.
You should not have to pay a yearly subscription fee to keep your in-house 802.11(abgn/ac) wifi access points operating. The very idea that the equipment you purchased which worked flawlessly on day one will stop working not because it's broken, or obsolete, but because your *subscription* expired...
I'm sure most hardware makers would love to lock in a revenue stream of "keep me working" subscriptions if they could get away with it. From the company's perspective what's not to love about that kind of guaranteed revenue?
I often wonder if Microsoft will someday make Office365 the only way to get Office, which if you don't maintain a subscription your locally installed copy of Word will cease to function.
~Seth
I have a feeling that most if not all of the requirements you have could be achieved with a Cisco ISR router running some kind of FlexVPN/DMVPN setup back to a network VPN hub. The ISR G3 series has the option of enabling a built in firewall/IPS. You'd need a RADIUS solution to authenticate the VPN from the spoke router in the field to the hub and also for 802.1X port authentication. Depending upon the number of port's you'd need, a downstream switch may be needed (ISR4331 has optional 4-port PoE switch module). http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-im... That said, I think this would be a huge headache compared to what can be done with Meraki. It would also involve a TON of R&D time (believe me). On Wed, Jun 29, 2016 at 7:38 PM, Tim Raphael <raphael.timothy@gmail.com> wrote:
There is a downside to subscription pricing for the vendor: they don't get the instant cashflow they're used to. I know Cisco seems to be taking a tactic where only some product lines use subscriptions and the others are on a typical enterprise 3-5 year replacements cycle to provide Cisco with the large cash injections upon upgrade.
Tim
On 30 Jun 2016, at 7:00 AM, Seth Mattinen <sethm@rollernet.us> wrote:
On 6/29/16 15:33, Eric Kuhnke wrote: My biggest issue with Meraki is the fundamentally flawed business model, biased in favor of vendor lock in and endlessly recurring payments to the equipment vendor rather than the ISP or enterprise end user.
You should not have to pay a yearly subscription fee to keep your in-house 802.11(abgn/ac) wifi access points operating. The very idea that the equipment you purchased which worked flawlessly on day one will stop working not because it's broken, or obsolete, but because your *subscription* expired...
I'm sure most hardware makers would love to lock in a revenue stream of "keep me working" subscriptions if they could get away with it. From the company's perspective what's not to love about that kind of guaranteed revenue?
I often wonder if Microsoft will someday make Office365 the only way to get Office, which if you don't maintain a subscription your locally installed copy of Word will cease to function.
~Seth
-- Geoffrey Wolf
Fortinet has stuff that does this that is non-IT friendly. On Mon, Jun 27, 2016 at 4:59 PM, Karl Auer <kauer@biplane.com.au> wrote:
On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
In some cases...
The words "in some cases" are a problem with any supposedly plug and play solution.
We really could use a simple solution that you just flip on, it calls home, and works...
...but still requiring someone to enter credentials of some sort, right? Otherwise you have a device wandering about that provides look -mum-no-hands access to your corporate network.
MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB for a wireless dongle or storage, and has a highly-scriptable operating system. Not a bad platform.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@biplane.com.au) http://www.biplane.com.au/kauer http://twitter.com/kauer389
GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
participants (14)
-
c b
-
Dan Stralka
-
Eric Kuhnke
-
Geoff Wolf AB3LS
-
Greg Sowell
-
Karl Auer
-
Mikeal Clark
-
Paul Nash
-
Rich Testani
-
Richard Greasley
-
Seth Mattinen
-
Shawn L
-
Spencer Ryan
-
Tim Raphael