[TriLUG] OT: policy based VPNs on LAN?
gregbrown at mindspring.com
gregbrown at mindspring.com
Mon Mar 7 20:43:05 EST 2005
This is really more of a general routing/switch/secuirty question then OSS - but if a OSS solution is possible that would be even better. I'm approaching the edge of my dynamic VPN know-how so I wanted to throw this out to the wolves. :) The scenario is this:
Security Paranoid Company would like to define access to various parts of the network based upon user roles. SPC also would like users to be forced to use not only a username/password but a security token for login (like a secureID token).
The initial idea was to create groups that the network admin can create rules against. So the HR people would only have access to HR servers, but not development or corporate security servers and so forth and so on. The network could potentially be set up with role based servers in their own subent if need be so the groups could be allowed to communicate only with certain subnets on the LAN. We don't know if subnetting is a requirement or not, but we suspect that it might be.
I thought Cisco's mega-VPN beast could handle this but after reading the documentation I am no long sure that it is possible. This solution would initally have to scale for 100 users, and it would be nice if it could scale into to an Enterprise size.
The client is leaning towards a Cisco solution because the VPN client can run on MS, OS X, and I believe Linux.
Any thoughts?
Greg
More information about the TriLUG
mailing list