- Microsoft Windows Remote Access: Not bad. Microsoft fixed the cryptological problems with PPTP long ago,and every Windows PC came with a VPN client until recently (oops, M$.) There was a decent Linux client, but no easy to install Mac client. You could piggyback the server off any random Windows box behind your VPN, and use Active Directory or any LDAP for authentication. Rating: 3 out of 5.
- El Cheapo EBay Anything-but-Cisco Special: You could buy an old Juniper or something firewall and use a generic client. Usually you could get it to authenticate against Radius (but not usually LDAP or AD.) If your magic box did PPTP, cool, but usually you had to fiddle with handing out generic, fiddly IPSec clients to your users. Rating: 2 out of 5 stars.
- "F*** it, just open up the firewall": Run Remote Desktop Services or VNC on the desktops. But once one power user gets a firewall hole opened, everybody wants in. Do you really want to open your entire LAN to VNC? Rating: 2 out of 5 stars.
- Magic Boxes: Well, you can just grit your teeth and pay thousands for a magic box. Thy usually work, except when the vendor decides to break a protocol and force you to use their client, which may or may not install easily or even work, or, worse, force you to pay even more per-seat for licensing. Oh - you wanted encryption with your VPN - just write us another check, please! Rating: Varies widely with size and, mostly, ease of client installation.
- Poptop, OpenSWAN, SSH tunnels: Promising, but we could never get Poptop or OpenSWAN to work. SSH tunneling is OK, but requires expert knowledge and only forwards one or two protocols at the same time.
So finally we had a chance to give OpenVPN a try. What a surprise. Better yet, there is a commercial enterprise OpenVPN Technologies that offers a added-value product for $5 per seat that makes OpenVPN fiddle-free. Rating: 5 out of 5 stars for smallish installs.
This approach solves several big problems we've had with VPN deployments: Licensing and fiddly hard to install clients.
Licensing is straightforward: $5 per seat, period. For huge installs, it might be cheaper to buy a Magic Box. But for smaller deployments, for $5 you get: Super-easy installation on most Linux platforms, a web GUI, added value support for the parts that are different from "free" OpenVPN, defaults that make it work right out of the box (with LDAP, too), a Windows client that works, and as part of the GUI, a place where Windows clients can log in and download it, and non Windows users can download a config that simply plugs in to OpenVPN for use as a client.
No more client fiddling: OpenVPN Technologies supplies the Windows client, Linux users use the OpenVPN that comes with their distro, and Mac users can either use OpenVPN or Tunnelblick. All this guarantees that the client will be compatibke with the OpenVPN Technologies server, which is OpenVPN itself, with the value-added parts wrapped around the server.
Well, enough fan mail for OpenVPN. Time to get back to work, doing real work from home instead of fiddling with a VPN.
[UPDATE: RedHat / Centos seems to have dropped OpenVPN from their repositories. You may have to build OpenVPN from source. Not too hard, but no longer fiddle-free.]
[ view entry ] ( 1591 views ) | permalink
Clicking on each image will open a full-size popup window.
Open each black and while image and put it in the center of your screen.
Open the corresponding color image, align the popup window directly over the black and white image, and pre-position your mouse cursor on the "X" or "-" control that will make the color image window go away.
After you have stared at the dot in the middle of the color image, click to make the window go away and see what the black and white image underneath looks like...
Not sure why, but the color bars don't work as well as the landscape. Either the illusion works better with "earth tones" or our brain is hardwired to "imagine" landscape colors?
Thanks to johnsadowski.com by way of Simon Singh
[ view entry ] ( 2067 views ) | permalink
That's about the weirdest hardware thing I've seen in a while.
[ view entry ] ( 1287 views ) | permalink
We got balled up in a licensing dispute for our Cisco ASA firewall. Before I felt comfortable putting 3000 people behind a single box, I figured we ought to get a second unit and failover working. But someone was sold mismatched licenses, and we had to throw a $5000 license upgrade in the dumpster to get the units to work together. Every other brand promises "No Surprises" but Cisco seems to not mind packing a show-stopper in every device. Their tech isn't bad, it's that the products are so complicated that their sales channels cannot understand them and sell you the right stuff the first time. I don't like surprises.
[ view entry ] ( 1327 views ) | permalink
To get the prices down in the same ballpark as Juniper, Cisco had to specify 12 different Catalyst models, all the way from lowly 3560's, which I consider old-timey, to 3750E's, with various port configurations and features. Juniper: Only five different models: The 24 port all-SFP EX4200, 24 and 48 Cu port EX4200s, and 24 and 48 Cu port EX3200s. (If we'd had a little more cash I would have like to have bought all 48-Cu-port models.)
All Juniper ports are gigabit. Most Cisco ports in our spec had to be 100 megabit to match Juniper's pricing.
There is a rumor floating around that some Cisco devices are coded to reject non-Cisco (i.e. non-ridiculously-overpriced) SFP modules. If it's true, that's just evil.
Some Juniper switches were spec'ed without any fiber ports, which made them cheaper. Adding four SFP fiber ports is a $500 slot option, and if you don't need it you don't have to buy it. You can swap the $500 4xGBit card for a $1500 card with two 10-gig ports when it's time to upgrade.
All Juniper devices run the same OS. No fussing about which version of IOS to get, and especially whether the features you need are in the apparently random selection of features is in the IOS you get.
The Juniper EX series has field-swappable fans and power supplies. Lose a PS or fan in a Cisco 3600/3700 series, except for a few high-end models, you have a dead box.
The Junipers all have POE on the first 8 ports. The built-in JunOS web interface is generally better than the built-in IOS web interface and is good enough for many setups.
OTOH: The Junipers are loud. Do not expect to install the EX series under someone's desk or anywhere else out in the open.
OTOH: It's not terrible, but nothing compares to the vast collection of generally well-written documents on Cisco's web site, and their active user community.
OTOH: You have to learn JunOS. Not hard, it has it's pluses and minuses, and if you know the fundamentals of the parameters you are trying to set, it's not hard to learn.
[ view entry ] ( 1347 views ) | permalink
Here is what I like to see: A Sun X4540 "Thumper" with 45 of its 47 disk drive (one removed for testing) lights blinking furiously at an estimated peak IO bandwith of 400 MBytes/sec read / 300 MBytes/sec write. Configured as a 46-physical-disk "raidz" (essentially RAID5) array, this system does everything a Netapp or similar "magic box" would do except NDMP, at half the price, and with full Solaris OS functionality thrown in for extra. (Can you run BIND or Apache on your storage applicance?) Everything is hot swappable, about 19T as-configured, spread out across 6 SATA controllers, fits in 4U, field-upgradeable to double that, and we got the whole kit and caboodle for half list price under a Sun educational grant program. This could be the THE BEST BOX EVER.
[ view entry ] ( 1299 views ) | permalink