On Sat, Dec 20, 2008 at 6:59 PM, Robert Moskowitz <rgm at htt-consult.com> wrote: > John wrote: >>> -----Original Message----- >>> Subject: Re: [CentOS] regarding vpn server for 1500 clients >>> >>> Dhaval Thakar wrote: >>> >>>>> If you could use a lower CPU intensive crypt like >>>>> >>> blowfish, it would be easier. >>> >>>>> Are all these trading partners in different locations or >>>>> >>> are there semi large >>> >>>>> groups in the same locations? Since this is MONEY do not skimp on security in the design (including audit design). Design it so you have the ability to change encryption prompt;y and to change out hardware and software at both ends. In part a VPN into a machine room can establish links to a dedicated network inside of a machine room that can have different security. In your design recall that a VPN extends your network out to boxes that you have little control over in numerous locations and viruses or other security breach way out there is now 'inside'. i.e. It is tempting to think that VPN provides access to a network where you have physical control of security via the hardware (switches and cables). If this is an international operation verify that you do not cause yourself legal issues with 'illegal' encryption as you cross national borders. You clearly will be under pressure to get it 'live' which is OK as long as you get to clean it up as needed. Simple things like +2048 bit keys can be reduced to 1024 if the CPU load is is mismatched because hardware failed. The reverse may prove intractable should you need to turn up or change security should the site come under targeted or random Cyber attack. -- NiftyCluster T o m M i t c h e l l