Posted by: Anonymous Coward
on September 29, 2005 10:03 AM
*"I also like OpenVPN, and prefer it over IPsec for certain usages."*
Name your uses, please on why you think IPSEC is better. (don't tell me to read your first article either bonehead, I want direct comparing IE gateway-to-gateway IPSEC is better becuase<nobr> <wbr></nobr>....
*"I've (as network security admin) -LOL- suffered from many networks breakages (and even intrusion, at the vtun ol'time) because of PHB coming arrogantly with the latest ultra-cool-vpn-thingy"*
Read this guys article before you reply, openvpn itself has had NO security bugs. So what, every kernel exploit should count against IPSEC well I don't have enough time in the next 10 years to list those
*"That's really not the point of the discussion. The article isn't about those people (and when would them try to implement or setup a corporate security policy ? that not theire job). They won't manage certificates either, nor configure OpenVPN. A VPN solution mostly implies gateways, configured by administrators, If workstations are concerned, entreprises needs deploying facilities: integration with the tools for centralized deployment, administration and management."*
You've obiviously not worked in any company larger than 12 people (please save your BS reply about 'working in a fortune 10 company' blah blah). Your post proves it so let me tell you now "YOU WILL ALWAYS HAVE TO WALK USERS THROUGH TROUBLESHOOTING" and believe me most admins (BTW I have set-up many(25+) IPSEC VPNSs working for a company that specializes in them), nevermind users, have issues with ALL IPSEC clients. Have you ever set-up an openvpn client? then you would know that 3-5 simple lines are better than 15-25 complex network jargon. Listen if you want use IPSEC no one is stopping you, no one is stopping you from re-write std.io either, what we are trying (unsucessfuly it seems but maybe we will drill past the concrete) to tell you is there is a better PROVEN (SSL is not some ultra-cool-security-thingy) solution out there. And believe me as it gets better, through-put will exceed IPSEC. IPSEC is old-school (interesting that you forgot to mention the NAT transveral issues that to-this-day almost ALL ipsec implemetations have) and for a time when engineers where still testing/setting-up networks but we have grown up kid so if you wish stay at the kid's table thats fine, but when you're ready to sit at the adult table we'll be here to baby step you there.
*"For instance to have a simple yet working IPsec setup on two OpenBSD 3.8 gateways, I only need to edit two config file lines on each (using the 'ipsecctl' tool)."*
Yet another sign of your inexperience in large networks....openBSD so what you are planning on having all users use openbsd, would love to see how openbsd works on a new viao? Change frightens weak people and your frightened we all see that...so with every release OpenVPN will be easier, more secure to the point where even a monkey....uh I mean, you can use it.
Listen, simple fact: IPSEC is too complex and too bloated with useless features to be effective. OpenVPN address those better than any other product out, nevermind if you include cost!!!
**OH BTW before you post you're ill-informed reply rant, which I will read then mutter "idiot" at the end, you may want to first convince someone else first why IPSEC is SSSSOOOO good. His name is Bruce Schneier, being that you're a noob to this whole "security/vpn" thing just know this guy knows what he is talking about I won't go any further becuase I'm not a kindagarden teacher. He wrote an interesting paper evaluting IPSEC read : <a href="http://www.schneier.com/paper-ipsec.pdf" title="schneier.com">http://www.schneier.com/paper-ipsec.pdf</a schneier.com> and if you have issues reading it, I'll save you the trouble, he says IPSEC is too complex and too bloated with useless features....sound familiar??
Learn about Linux
Download Linux
Get Linux help
Re:Uninformed FUD
Posted by: Anonymous Coward on September 29, 2005 10:03 AMName your uses, please on why you think IPSEC is better. (don't tell me to read your first article either bonehead, I want direct comparing IE gateway-to-gateway IPSEC is better becuase<nobr> <wbr></nobr>....
*"I've (as network security admin) -LOL- suffered from many networks breakages
(and even intrusion, at the vtun ol'time) because of PHB coming arrogantly
with the latest ultra-cool-vpn-thingy"*
Read this guys article before you reply, openvpn itself has had NO security bugs. So what, every kernel exploit should count against IPSEC well I don't have enough time in the next 10 years to list those
*"That's really not the point of the discussion. The article isn't
about those people (and when would them try to implement or setup a
corporate security policy ? that not theire job). They won't manage
certificates either, nor configure OpenVPN.
A VPN solution mostly implies gateways, configured by administrators,
If workstations are concerned, entreprises needs deploying facilities:
integration with the tools for centralized deployment, administration
and management."*
You've obiviously not worked in any company larger than 12 people (please save your BS reply about 'working in a fortune 10 company' blah blah). Your post proves it so let me tell you now "YOU WILL ALWAYS HAVE TO WALK USERS THROUGH TROUBLESHOOTING" and believe me most admins (BTW I have set-up many(25+) IPSEC VPNSs working for a company that specializes in them), nevermind users, have issues with ALL IPSEC clients. Have you ever set-up an openvpn client? then you would know that 3-5 simple lines are better than 15-25 complex network jargon. Listen if you want use IPSEC no one is stopping you, no one is stopping you from re-write std.io either, what we are trying (unsucessfuly it seems but maybe we will drill past the concrete) to tell you is there is a better PROVEN (SSL is not some ultra-cool-security-thingy) solution out there. And believe me as it gets better, through-put will exceed IPSEC. IPSEC is old-school (interesting that you forgot to mention the NAT transveral issues that to-this-day almost ALL ipsec implemetations have) and for a time when engineers where still testing/setting-up networks but we have grown up kid so if you wish stay at the kid's table thats fine, but when you're ready to sit at the adult table we'll be here to baby step you there.
*"For instance
to have a simple yet working IPsec setup on two OpenBSD 3.8 gateways, I only
need to edit two config file lines on each (using the 'ipsecctl' tool)."*
Yet another sign of your inexperience in large networks....openBSD so what you are planning on having all users use openbsd, would love to see how openbsd works on a new viao? Change frightens weak people and your frightened we all see that...so with every release OpenVPN will be easier, more secure to the point where even a monkey....uh I mean, you can use it.
Listen, simple fact: IPSEC is too complex and too bloated with useless features to be effective. OpenVPN address those better than any other product out, nevermind if you include cost!!!
**OH BTW before you post you're ill-informed reply rant, which I will read then mutter "idiot" at the end, you may want to first convince someone else first why IPSEC is SSSSOOOO good. His name is Bruce Schneier, being that you're a noob to this whole "security/vpn" thing just know this guy knows what he is talking about I won't go any further becuase I'm not a kindagarden teacher. He wrote an interesting paper evaluting IPSEC read : <a href="http://www.schneier.com/paper-ipsec.pdf" title="schneier.com">http://www.schneier.com/paper-ipsec.pdf</a schneier.com>
and if you have issues reading it, I'll save you the trouble, he says IPSEC is too complex and too bloated with useless features....sound familiar??
#