Q: Isn't there a security risk in using Microsoft PPTP (or
MS-CHAP)?
A: The Celestix VPN Appliance also supports L2TP/IPSec, so you don't
have to implement a PPTP based VPN. Just to clarify though, PPTP
is different from MS-CHAP. Microsoft has since released MS-CHAPv2
which addresses many of the original problems.
Q: How are software updates handled?
A: The web interface that is pre-installed on the VPN Appliance
ß has a section called Maintenance. Under the Maintenance area is
a link for Software Updates. From there, you just select a file
to upload and install. Installed updates can also be uninstalled
if need be.
Q: I can just set up a Windows Server 2003 VPN myself.
A: While the core routing technology is essentially the same, Celestix
provides a slew of essential features. The Web UI, reporting, alerting,
monitoring, client automation, remote access policy interface can
only be found in the Celestix RAS appliance. In addition, the appliance
is pre-configured to be system hardened and optimized for remote
access VPN usage. Licensing is taken care of as well; the RAS appliance
runs on Windows Server 2003 and includes Client Access Licenses
(CALs) for 1,000 concurrent users.
Q: Hardware clients are more secure than software clients.
They are also easier to control and distribute.
A: Hardware clients are much more complex than their software based
counterparts. IT administrators usually must be able to access the
client (via telnet) to change preshared keys. This creates management
headaches and introduces potential security breaches. In addition,
hardware clients are price prohibitive for large scale deployments,
don't allow for mobility, and do not authenticate at the user level
which complicates auditing.
Q: The Celestix RAS Appliance solution does
not include a Personal Firewall or Anti-Virus product with the client.
How can I ensure that I won't get viruses, etc. through the exposed
tunnel?
A: Rather than mandate a particular personal firewall or anti-virus
application for use with our product, we decided that each organization
should decide its requirements. Some organizations may choose not
to require personal firewall software, for instance. In addition,
the inclusion of these products make the VPN client much larger
and more difficult. The Celestix RAS Appliance provides a powerful
mechanism to quarantine connections until a number of client machine
attributes (OS, version of AV signature file, etc) are checked for
compliance before allowing access to the enterprise network.
Q: I have a user who uses Linux, how can I accommodate
them?
A: There is a free Linux PPTP client available from MIT.
Q: What about client support for the Apple Macintosh
platform?
A: OS/X has a built-in PPTP VPN client that is interoperable
with the Celestix RAS Appliance. Older Mac users can purchase PPTP
VPN clients from 3rd party vendors (such as Efficient Networks,
Gracion, or Raxas).
Q: Doesn't an SSL gateway do what your VPN Server does?
A: SSL gateways are essentially feature-rich proxies; the Celestix
RAS Appliance facilitates true network functionality. SSL gateways
don't allow for mapped drives, has limited application integration,
and suffers from a general lack of network interoperability. Celestix
also offers client ubiquity, so that argument is moot.
Q: SSL proxies have remote access policies which allow me
to control access in a granular fashion, even on a per-user basis.
A: The Celestix RAS3000 also includes remote access policy
support. And because VPNs are not limited to just web traffic, you
can restrict users to certain applications (ports). For instance,
if an extranet partner needs access to a web application on a certain
internal server, you can create a policy to do this. Similarly,
you can limit the use of Windows Terminal Services to only IT staff.
Q: This other product also includes a firewall. Why would
I buy just a VPN if I can get a firewall and VPN for the same price?
A: There are many reasons to separate VPN and firewall functionality.
These include:
- Remote Access VPN is mission critical, i.e. firewall changes should
not cause down time to remote users
- Increased reliability and scalability
- The hardware requirements for firewall and VPN are different,
for example a firewall may require SSL acceleration, whereas a VPN
device may require IPSec acceleration
- Unique management, maintenance and reporting requirements
- By keeping the firewall and VPN functions separate, the Celestix
RAS Appliance can easily to put to use for other purposes (e.g.
protect wireless networks)
Q: What if I buy a Celestix RAS Appliance and I'm not happy
with it or it doesn't work properly?
A: Celestix resellers offer a free 30 day trial with their appliances.
Within 30 days you can return the appliance to your reseller and
receive a full refund - no questions asked.
Q: The Celestix RAS Appliance has moving parts (hard drive).
For an appliance, I want solid state components, which makes it
more reliable
A: First, that you cannot achieve the in-depth level of auditing
that the Celestix RAS Appliance offers with flash memory or another
solid-state equivalent. Secondly, the Mean Time Before Failure (MTBF)
for our hard drives exceeds the life expectancy of the appliance.
This is a mostly hypothetical problem as we don't see this as an
issue in the field.
Q: What happens if the hard drive crashes?
A: Celestix will replace your server immediately. Reporting
data is backed up at regular intervals, so that information will
be imported over to the new appliance.
Q: What is the throughput of the Celestix VPN Server?
A: The throughput for the Celestix VPN appliance has been
measured to be in excess of 100Mbps. 99% of the enterprises do not
have more than a T3 (45 Mbps) connection to the Internet, so any
limitations can normally be attributed to the available bandwidth
into the enterprise. |
