03-15-2007
09:19 AM
- last edited on
02-21-2020
11:46 PM
by
cc_security_adm
I have an issue at my company and I need some ammunition to fight the battle between the Cisco side and the Microsoft side.
Currently our company has aprox 500 clients VPN sessions connected to our Cisco 3030 Concentrators at any given time. We are entirely a Cisco shop through and through (IPT, 6500 Cores w/ IDS blades, MARS, ect.). I have already purchased ASAs with IPS module that will be replacing our 3030 Concentrators in the next few months.
My issue is our Microsoft team has brought up that they can set up VPN and it will support Vista and is better than the Cisco solution. I realize Cisco supports Vista but I just wanted to convey what we are dealing with.
Please provide any pros or cons to the Microsoft vs. Cisco dilemma we are facing.
Thanks,
03-16-2007 06:41 AM
I would focus your research on the pro's and con's of IPSec based VPN versus PPTP. Cisco obviously using IPSec primarily in most VPN deployments, versus Microsoft almost always using PPTP. If I'm wrong, let me know.
I get into this argument pretty frequently with colleagues. Here are things that I always bring up to the MS PPTP VPN groupies:
IPSec inherently is a stronger VPN framework than PPTP - no one can argue that. The hashing and encryption algorithms (ex. SHA, 3DES, AES) and protocols surpass what Microsoft has been able to produce in regards to their 'built-in' VPN server/client system.
With Cisco's implementation of IPSec remote-access VPN, you can get very specific with what you want to allow, based off of groups and users - right down to the IP and ports desired. This is not an easy feature to setup on the Microsoft RRAS (if that's what your MS team is considering) side of the coin. The granularity of control, especially with the ASA line, is great.
I don't know what new VPN standards that MS Vista supports now, but I'm a huge fan of Cisco's remote-access VPN implementation to date.
When speaking to the MS team, I would ask:
Can you restrict remote-access VPN users to specific IP's and ports? How flexible is the MS solution, regarding IP address assignment?
What native hash and encryption methods does the MS VPN support? Are they proprietary?
Can you mass-deploy a pre-configured MS VPN connection? (comparable to a Cisco VPN client profile)
Any questions, let me know.
HTH
03-16-2007 03:48 PM
I would also question their ability to support SSL single sign-on feature as well.
Then, there is the price. Look at BOTH the capital and operating costs (maint and levels of maint) between the two solutions as well.
Then, there's performance.
What business initiative is warranting a move to Vista? Just curious....
Good luck!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide