VPN or something else

[talmy]

Why is there a checkbox on the client when it doesn't work?

It looks like I need to turn VPN on and off depending on whether or not I want secure (but slow) or fast transfers. This is making ssh tunneling or ShareTool (without VPN) look more attractive. I currently use ssh tunneling to access my home from locations (such as at work) that block the VPN ports, and I've tried ShareTool but decided that, while it worked fine, it wasn't necessary for what I was doing.

 

[belvdr]

Why is there a checkbox on the client when it doesn't work?

Mainly those VPN providers to mask the identity of users for web browsing leave the choice up to the user.

 

[mmcxiiad]

What's the additional security (from the company's standpoint) of encrypting the users' traffic to their personal mail account, whether at a hotel or at home? Unless you require full tunneling (for web filtering and such), then split tunneling is fine as you're encrypting the data the business deems important.

A poor security policy would allow the users to dictate what to encrypt. You lose control over how much WAN traffic you'll see and how much load you'll generate on your VPN device.

Well, considering that this post was initially about me, my perspective isn't from a large business. We have just a few employees who are would need to vpn in to access a few things. But when a few of us travel, i would want to tunnel all traffic back through the vpn. For me the two advantages of this are piece of mind that my traffic is safe while I am on the road, and access to services that hotels and public access points tend to block.

 

[belvdr]

Well, considering that this post was initially about me, my perspective isn't from a large business. We have just a few employees who are would need to vpn in to access a few things. But when a few of us travel, i would want to tunnel all traffic back through the vpn. For me the two advantages of this are piece of mind that my traffic is safe while I am on the road, and access to services that hotels and public access points tend to block.

It's not a large business frame of mind. It's a business state of mind, especially small businesses. Depending on your WAN connection and applications used, you could easily flood it and cause an outage. For web browsing, you effectively double your throughput requirements.

For example, say you're on the road and you stream a YouTube or Netflix video. The data comes from the Internet, down your WAN, through the VPN (which then encrypts it), then back out your WAN again. Then again, are you going to force your users to connect to VPN any time they have an Internet connection? If not, then I'd say most users will get upset with the crappy performance and disconnect anyway.

I've never seen public Internet points block much of anything. I think you're worried a bit too much about things, but then again, it has no bearing on me really.

But again, I'll ask what is the additional security behind encrypting users' traffic destined for Yahoo or Netflix? Where's the value? By creating a VPN, you are not isolating the user from the local network.

To note, I'm just trying to point out that you really need to think this through. If you simply turn it on, it can cause all sorts of issues.

 

[mmcxiiad]

It's not a large business frame of mind. It's a business state of mind, especially small businesses. Depending on your WAN connection and applications used, you could easily flood it and cause an outage. For web browsing, you effectively double your throughput requirements.

For example, say you're on the road and you stream a YouTube or Netflix video. The data comes from the Internet, down your WAN, through the VPN (which then encrypts it), then back out your WAN again. Then again, are you going to force your users to connect to VPN any time they have an Internet connection? If not, then I'd say most users will get upset with the crappy performance and disconnect anyway.

I've never seen public Internet points block much of anything. I think you're worried a bit too much about things, but then again, it has no bearing on me really.

But again, I'll ask what is the additional security behind encrypting users' traffic destined for Yahoo or Netflix? Where's the value? By creating a VPN, you are not isolating the user from the local network.

To note, I'm just trying to point out that you really need to think this through. If you simply turn it on, it can cause all sorts of issues.

Ok, I want to preface by saying that I am not trying to start a flame war. I always appreciate getting a different point of view. That said, I think I pretty clearly outlined my desires in the first post. Maybe you should reread that. As the title of this thread suggests, I am not stuck on a VPN solution. Someone I know suggested an SSL connection, though I am not sure what the difference is or how to implement that.

 

[belvdr]

Ok, I want to preface by saying that I am not trying to start a flame war. I always appreciate getting a different point of view. That said, I think I pretty clearly outlined my desires in the first post. Maybe you should reread that. As the title of this thread suggests, I am not stuck on a VPN solution. Someone I know suggested an SSL connection, though I am not sure what the difference is or how to implement that.

Maybe you didn't realize that others chimed in asking for a similar solution. It's a discussion and it's common for that to happen. You also quoted my reply to someone else (about leaving options up to the user) and it went from there. I'm not trying to start a flame war either. I have implemented many, many VPNs and have seen the good, the bad, and the ugly. It's a matter of weighing all the options together, because

You can implement an SSL VPN just as you would an IPsec VPN. However, it would not route all traffic through your main network. The bonus side of an SSL VPN is that you don't need to install a client first. The downside is you can lose some flexibility.

At this point, just implement a VPN device and be done with it. Something like a Cisco ASA 5505 will meet all of your requirements, but you'll require a VPN device at each of your locations.