[CentOS] regarding vpn server for 1500 clients

Sun Dec 21 08:25:12 UTC 2008
NiftyClusters T Mitchell <niftycluster at niftyegg.com>

On Sat, Dec 20, 2008 at 6:59 PM, Robert Moskowitz <rgm at htt-consult.com> wrote:
> John wrote:
>>> -----Original Message-----
>>> Subject: Re: [CentOS] regarding vpn server for 1500 clients
>>>
>>> Dhaval Thakar wrote:
>>>
>>>>> If you could use a lower CPU intensive crypt like
>>>>>
>>> blowfish, it would be easier.
>>>
>>>>> Are all these trading partners in different locations or
>>>>>
>>> are there semi large
>>>
>>>>> groups in the same locations?

Since this is MONEY do not skimp on security in the design (including
audit design).

Design it so you have the ability to change encryption prompt;y
and to change out hardware and software at both ends.

In part a VPN into a machine room can establish links to a
dedicated network inside of a machine room that can have
different security.

In your design recall that a VPN extends your network out to boxes
that you have little control over in numerous locations and viruses or
other security breach way out there is now 'inside'.  i.e. It is
tempting to think
that VPN provides access to a network where you have physical control of
security via the hardware (switches and cables).

If this is an international operation verify that you do not cause yourself
legal issues with 'illegal' encryption as you cross national borders.

You clearly will be under pressure to get it 'live' which is OK
as long as you get to clean it up as needed.   Simple things
like +2048 bit keys can be reduced to 1024 if the CPU load is
is mismatched because hardware failed.   The reverse may prove
intractable should you need to turn up or change security should the site
come under targeted or random Cyber attack.

-- 
        NiftyCluster
        T o m   M i t c h e l l