Back in November 2000 I read with interest a thread discussing the implications of Service Providers blocking particular protocols (I believe it was "Operational impact of blocking SMB/Netbios"). I recall one response which explicitly stated that IPsec was not blocked. Is anyone on the list aware of Service Providers (ISP/NSP...) who DO block IPsec traffic, with or without informing their customers or peers? I'm trying to assess the pros and cons of major Enterprise Customers basing their entire remote office/small office/mobile network access strategy on some type of IPsec based VPN solution. Any thoughts? Cheers Dave ------- Dave Wardle, Principal Consultant Critical Networks, Inc. ------- Email: dave@criticalnets.com Homepage: www.criticalnets.com ------- Cell: 831 332 1021 Tel: 831 662 1710 Fax: 831 662 1710 -------
On Tue, 16 Jan 2001, Dave Wardle, Critical Networks, Inc. wrote:
Date: Tue, 16 Jan 2001 18:48:31 -0800 (PST) From: "Dave Wardle, Critical Networks, Inc." <dave@criticalnets.com> To: nanog@merit.edu Subject: IPSectarianism
Is anyone on the list aware of Service Providers (ISP/NSP...) who DO block IPsec traffic, with or without informing their customers or peers?
I used to work for an ISP (http://www.pilot.net) who blocked *all* traffic except that specifically asked for, in the interests of security. This was spelled out in the sales contract, and in fact was a prime selling point. (I ipened a lot of pinholes in a lot of firewalls for IPsec.) I imagine there are other ISPs who do the same.
From a customer standpoint, where I am now, I would never sign on with an ISP/NSP who filtered *any* traffic. I can manage my own firewall thank you very much.[1] I pay them for network access, to get my packets from me to elsewhere and back, not to be my guardians.
I'm trying to assess the pros and cons of major Enterprise Customers basing their entire remote office/small office/mobile network access strategy on some type of IPsec based VPN solution.
I've been very happy with Cisco's IPsec VPNs from PIX to PIX. They're reasonably stable, very easy to set up, and since I'm not the one paying 12 grand + for what amounts to a 2-year-old desktop box running modified IOS, their price is right. Oftentimes clients simply say "Cisco? Cool, here's some money." Only caveat being, you really need the failover. Mobile, I can't help you, sorry.
Any thoughts?
Cheers Dave
------- Dave Wardle, Principal Consultant Critical Networks, Inc. ------- Email: dave@criticalnets.com Homepage: www.criticalnets.com ------- Cell: 831 332 1021 Tel: 831 662 1710 Fax: 831 662 1710 -------
[1] Please no snide comments about my current provider, I am not too pleased with them for exactly the reason you're thinking and am discussing other options with my supervisor.
participants (2)
-
Dave Wardle, Critical Networks, Inc.
-
mdevney@teamsphere.com