[KLUG Members] Letter to the Editor: "Safe Passage; Infrastructure VPNs"

[Bryan-TheBS-Smith]

Since my local JAXLUG list isn't archiving right now, I'm going to
post this here as well.

-------- Original Message --------
From: Bryan-TheBS-Smith <b.j.smith@ieee.org>
Subject: Letter to the Editor:  "Safe Passage; Infrastructure VPNs"
Resent-From: jaxlug-list@jaxlug.org
To: pcmag@ziffdavis.com
CC: jaxlug-list@jaxlug.org

Dear Editors --

When it comes to PCMagazine, I approach its articles from a "hands
off" technical standpoint.  Even though I am primarily a UNIX system
administrator and software developer these days, I started using
Windows NT before it was released.  As such, I do find at least one
review very useful in each publication.  But I largely use your
magazine as a point of reference to gage where home and professional
users of Windows are coming from.  And every now and then you even
surprise me with a mention of Linux or some other, non-Microsoft
product.

When I saw this month's review regarding hardware and software
virtual private networking (VPN) solutions for enterprises, I
thought I had found my article.  Such an article, with four-plus
(4+) figure solutions would surely be geared towards the IT
professional or decision maker.  The whole concept of a VPN usually
introduces some technical specifics that most regular users would
not be interested in.  So I turned to page 115 with much
anticipation.

But what I got was a review of six (6) hardware solutions and
Microsoft Windows 2000 Advanced Server as the sole software
solution.  And in the performance you concluded you were "impressed
with the software's performance" without realizing you are comparing
the x86's high-MHz, multi-pipelined performance in the Windows box
to that of a single pipeline, low-MHz StrongARM chip in most of the
blackbox solutions.

Okay, maybe I was hoping for too much.  It would have been different
if you would have reviewed the six (6) hardware solutions and then
compared to your Windows server solution in a sidebar.  But no, the
subtitle of the article said "tested seven and software VPN
products" and the first statement under the Windows 2000 section
opened with "If your CEO balks at the cost of a dedicated VPN
appliance."  So I feel it is necessary to point out some basic
software-based VPNing solutions that you should have at least put in
a sidebar.

First off, many of these "black box" solutions sport software
licensed from Checkpoint Software.  This software is also available
in retail form for a variety of end-user platforms.  Even if you
figure in the cost of the operating system, by using Linux or a BSD
UNIX flavor (which is what most of these "black box" solutions are
based on), the solution will still be far less than the Windows 2000
solution.  And that's not cost, we are not even talking about
security where Microsoft still uses one of the least secure
encrypted tunnel approaches and Checkpoint's latest offerings
including stateful packet inspection capabilities.

Secondly, always keep this in mind:  The Linux (and BSD) kernel has
always sported the most featured network stack and the most advanced
routing capabilities out-of-the-box with no per-user licensing
costs.  There are literally a plethora of VPNing solutions available
for Linux, in various forms, for various requirements.  From
Microsoft PPTP/MPPE and even Win2K L2TP compatible to kernel and
user-based IPSec and open standard services, there is little that
cannot be found.  Plus the latest Linux 2.4 kernel's Netfilter
approach to stateful packet filtering rivals even Checkpoint's most
costly and premier solutions.  And from a performance standpoint,
Linux and BSD are also the only software solutions that seem to
offer the Blowfish (as well as the newer Twofish and AES) ciphers,
which are much more efficient than DES while being, arguably, more
secure than RC4/RC5 (side note: I did notice Nokia's solutions do
offer Blowfish, which might explain the performance lead they had).

Lastly if Linux seems "too difficult to chew raw," just check out
the Linux-based SmoothWall project (http://www.smoothwall.org).  The
latest version 0.9.9 now in beta (side note:  I do understand this
was probably too recent of a development to have made your review in
time) sports both Microsoft PPTP-compatible and Blowfish-based VPN
solutions.  All web-based configuration (and even installation!)
with no Linux understanding required -- although it won't prevent
experienced Linux gurus from tweaking the kernel's firewalling
settings manually.  It also includes web proxy services using the
award winning Squid cache proxy which still bests any software
Microsoft can offer.  You'll excuse me for not providing a URL that
can back this last point up since many reviews that did are no
longer available on-line.

So I conclude with a sincere wish that in the future, when you
review advanced networking software like VPNs geared at the
professional user, you consider non-Microsoft solutions as well. 
Not because you need to be providing information on non-Microsoft
solutions, but because there are a number of superior,
Windows-interoperable and not-so-difficult to configure solutions
available at a lower or no cost.  I further hope that even if you do
not post this letter, you do mention the SmoothWall project in a
future sidebar, article or other news item.  There are a number of
non-Linux users who have found it perfect in their home, office or
even enterprise.

Thank you for your time ...

     Bryan "TheBS" Smith
     SmithConcepts, Inc.

-- 
Bryan "TheBS" Smith    mailto:b.j.smith@ieee.org    chat:thebs413
Engineer   AbsoluteValue Systems, Inc.  http://www.linux-wlan.org
President    SmithConcepts, Inc.     http://www.SmithConcepts.com