I don't buy the "we need open relay for nationwide users" argument, either. Build a cheap MX that does nothing but take mail from a given POP, and send it to the world. Anti-spoofing at the border, don't accept mail from the outside world, and you're done.
You must not have a roaming staff or are willing to keep telcos wealthy.
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution. Owen
At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution.
I have an "operational" question. (SURPRISE! :) VPN solutions are getting inexpensive. However, they are sometimes far from optimal. The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). This can cause extremely poor performance for some roaming users. For instance, someone in Sydney with a home office in New York trying to get to a Sydney web server suddenly has to make two round trips to New York, just to cross town. Considering trans-pacific fiber congestion and other problems, this can make the VPN nearly unusable. Of course, you could tell the user to turn off the VPN, but you try to explain to a typical end user when he should and should not have the VPN turned on, or that he cannot send mail while browsing the web, or things like that. So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
Owen
TTFN, patrick
With the MS PPTP client, there is an option to not use the default gateway on the remote network. By default this is on, so all your traffic goes through the VPN. Turn it off and only traffic destined for the remote network goes over the VPN. I would bet that there are similar options for other clients. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Patrick W. Gilmore Sent: Monday, May 28, 2001 1:25 AM To: nanog@nanog.org Subject: VPN Solution (WAS: ORBS (Re: Scanning)) At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution.
I have an "operational" question. (SURPRISE! :) VPN solutions are getting inexpensive. However, they are sometimes far from optimal. The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). This can cause extremely poor performance for some roaming users. For instance, someone in Sydney with a home office in New York trying to get to a Sydney web server suddenly has to make two round trips to New York, just to cross town. Considering trans-pacific fiber congestion and other problems, this can make the VPN nearly unusable. Of course, you could tell the user to turn off the VPN, but you try to explain to a typical end user when he should and should not have the VPN turned on, or that he cannot send mail while browsing the web, or things like that. So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
Owen
TTFN, patrick
I've not had experience with MS PPTP or Bay Networks but have worked with the Sonicwall VPN client and FreeS/WAN and both only routed traffic through the tunnel if it was destined for that end-point and left all other traffic to traverse the network as it would be without the VPN tunnel. Both of these solutions can manage this as they both actually modify the routing table to include a route to the end-point over the tunnel and leave the default route as is. Jeremy Patrick W. Gilmore was said to been seen saying:
At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution.
I have an "operational" question. (SURPRISE! :)
VPN solutions are getting inexpensive. However, they are sometimes far from optimal.
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling).
This can cause extremely poor performance for some roaming users. For instance, someone in Sydney with a home office in New York trying to get to a Sydney web server suddenly has to make two round trips to New York, just to cross town. Considering trans-pacific fiber congestion and other problems, this can make the VPN nearly unusable.
Of course, you could tell the user to turn off the VPN, but you try to explain to a typical end user when he should and should not have the VPN turned on, or that he cannot send mail while browsing the web, or things like that.
So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
Owen
TTFN, patrick
-- ,-----------------------------------------------------------------------------, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | | Public PGP/GPG key available through http://wwwkeys.us.pgp.net | | If received unsigned (without requesting as such) DO NOT trust it! | | Jeremy.Bouse@UnderGrid.net - NIC Whois: JB5713 - jbouse@Debian.org | `-----------------------------------------------------------------------------'
VPS is toop complex and it's necessary only if you use your corporate services. On the other hand, it's not big p[roblem to allow relaying for the roamers keeping it close for the spammers (and mainly for ORBS). (1) Allow relaying for the message with yopur roaming From: . It's not best solution but it cut 99% of the spammers (including ORBS which behave like spammer). (2) Connect your POP/IMAP with your relay so to allow SMCP relaying from IP addrerss which was registered in POP/IMAP for last 3 hours. And so on. An idea to use VPN for the common roaming is the crazy one; and what for you propose to use cryptography? To prevent mail sniffering? Who treat you with it? And if you need secure mail, use PGP or something like it. VPM is a good thing - for access to the corporate network, through 50% of it's configurations don't provide enougph security (using multy-time passwords for PPTP just mean _you have not security_ no matter if you use PAP, CHAP or something more complex - you can think _why_ but it's reality). ----- Original Message ----- From: "Patrick W. Gilmore" <patrick@ianai.net> To: <nanog@nanog.org> Sent: Sunday, May 27, 2001 10:24 PM Subject: VPN Solution (WAS: ORBS (Re: Scanning))
At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution.
I have an "operational" question. (SURPRISE! :)
VPN solutions are getting inexpensive. However, they are sometimes far from optimal.
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling).
This can cause extremely poor performance for some roaming users. For instance, someone in Sydney with a home office in New York trying to get to a Sydney web server suddenly has to make two round trips to New York, just to cross town. Considering trans-pacific fiber congestion and other problems, this can make the VPN nearly unusable.
Of course, you could tell the user to turn off the VPN, but you try to explain to a typical end user when he should and should not have the VPN turned on, or that he cannot send mail while browsing the web, or things like that.
So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
Owen
TTFN, patrick
The Altiga/CiscoVPN3000 series allows you to do split tunneling. You give it a list of networks, and it drops this on the client when it connects. The client will check the list, and if the network is there, will send the packets through the tunnel. Works great for users who have a LAN printer but still want remote access. craig -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Patrick W. Gilmore Sent: Sunday, May 27, 2001 10:25 PM To: nanog@nanog.org Subject: VPN Solution (WAS: ORBS (Re: Scanning)) At 06:58 PM 5/27/2001 -0700, Owen DeLong wrote:
Roaming staff usually needs some form of VPN access, anyway, and even if they don't, this is a great use for one. Put a VPN client on the roamer's computer (Linux, Mac, and Windows 9x/NT/ME/2k all have IPSEC capable clients available), then use the VPN to get back to the mail relay. If the mail relay is behind the VPN tunnel termination point at the server end, then it should only accept mail for relay from valid VPN clients. As such, you solve the roaming staff problem without an open relay. VPN boxes like Ravlin and Nokia Crypto Cluster are cheap enough today that I would consider it a valid cost of doing business if you don't have a better solution.
I have an "operational" question. (SURPRISE! :) VPN solutions are getting inexpensive. However, they are sometimes far from optimal. The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). This can cause extremely poor performance for some roaming users. For instance, someone in Sydney with a home office in New York trying to get to a Sydney web server suddenly has to make two round trips to New York, just to cross town. Considering trans-pacific fiber congestion and other problems, this can make the VPN nearly unusable. Of course, you could tell the user to turn off the VPN, but you try to explain to a typical end user when he should and should not have the VPN turned on, or that he cannot send mail while browsing the web, or things like that. So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
Owen
TTFN, patrick
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). If you want a commercial solution that does selective tunnelling - the FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this really consists of a list of subnets that the VPN will handle, and is set at
the server side. anything not on the topography list goes out via the dialup adaptor or network card as normal.
Does anyone know of a way to put layer 4 switching in front of a VPN client such that (for example) email and nntp dont get tunnelled while everything else does, or vice-versa? We're probably talking Windows software here I know...... Jon.
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling). If you want a commercial solution that does selective tunnelling - the FW-1 addin (VPN-1) exports a "topography" file to the client at setup; this really consists of a list of subnets that the VPN will handle, and is set at the server side. anything not on the topography list goes out via the dialup adaptor or network card as normal.
Along with those others mentioned, InfoExpress' VTCP will only route traffic over the VPN destined for the defined secure network. All other traffic routes over your normal non-tunneled connection. http://www.infoexpress.com/products/vpn/index.html -- Mike Jones mike@biggorilla.com * Patrick W. Gilmore (patrick@ianai.net) [05/28/01 00:29]:
The VPN solutions I have used (e.g. Bay Networks, MS PPTP) send *every* packet from the end user machine to the VPN end-point, not just selected packets (like with SSH tunneling).
[...]
So, does anyone know of a VPN that does selective forwarding like SSH tunneling?
participants (9)
-
Alexei Roudnev -
Craig Holland -
David Howe -
Jason Lewis -
Jeremy T. Bouse -
Jon Mansey -
mike@biggorilla.com -
owen@dixon.delong.sj.ca.us -
Patrick W. Gilmore