I wouldn’t choose a MS VPN product unless A) you’re a 100% Microsoft shop, and B) your admin is also managing servers and AD.
Wireguard doesnt have a control plane though, and is building P2P between all endpoints, so its going to be difficult to achieve the scale without building all that yourself no??
Yes, you can load balance them (in place of the physical hardware clustering feature). Just have to use 2 Tuple method so DTLS can work.
I would recommend nobody use the native azure VPN
Thank you for your reply.
Interested in this line. We were considering doing exactly this for a service coming up soon?
100%. It’s part of an ecosystem. You need good edge firewalls anyway, since you have on-prem workers and servers that need to call out.
I personally don’t like palos options, but that’s definitely an admin preference thing.
zScaler has a ton of issues, but once converted to using a full ZIA/ZPA suite, you get a whole lot of architectural freedom.
That being said, my company is probably one of zScaler’s largest clients, so we may get some preferential treatment, and when you have a network as big as ours, one-size fits all plans rarely do.
Palo also has a ZTNA connector that doesn’t drop users on to the network.
So - what is ZTNA then? Why does Prisma Access not count?
One of my customers uses them and just put out a press release on their relationship in the past week. The customer loves the product. But the financial situation is not good…
They may be worth acquiring but until they are, there is an unknown risk. Leaving/laid off employees have commented on review sites that they don’t have the resources left to patch security holes. That may be a jaded employee, but it’s a bad sign for a security solution. I’m not investing in their over-the-counter stock or their product even though it may have been solid. The 10-Ks are public on their site so you can read all of their caveats on being able to continue to operate.
May I ask what boxes you have? 15k users is a lot and I think the PA-3k series has a max of 1500 users per box, or am I wrong? I have been suggested a pair of smaller boxes or VMs for the GP portal and a more or less dynamic number of VMs for the gateways.
We would probably not need the licensing just as you say, thanks!
Yep, and SoftEther IMHO is more a research project than a practical VPN for non-tech-savvy users. It’s like someone decided to bake every possible VPN proto into a single package. I can’t trust that vs something like OpenVPN AS which is constantly audited and well established, or a WG based solution where there is a small code footprint and has been admitted to the Linux kernel.
Erm, I never said anything against your point. I’ve used RHEL, CentOS, RHV, oVirt and many other equivalents. I will concede that for some C-Levels paying for it makes them believe that they will get free money back if there’s a bug, but even with paid contracts there’s an indemnity clause most of the time, so the point is moot unless you pay even more for a watertight “vendor pays for any and all failures” contract.
eg for RHEL, you’re paying to get a certain level of support, depending on how much you shell out, but they are not guaranteeing the product to be completely free from bugs. Neither RH nor MS, Oracle or Amazon would ever sign a contact that guarantees software 100% certain to be free from bugs, as beyond a certain scope it cannot be scientifically proven.
You’re preaching to the converted here - if I see a successful product with an OSS version and a vibrant developer community, it’s already more interesting than some unknown corp peddling “Military grade encryption”, “AI detection” and the like. Have you ever had a sales pitch from Darktrace? Total bullshit for 2 hours - you ask the simple question “How does it avoid false positives without training on your network for a while”?" and the sales guys can only say “It’s AI! It’s magic!”.
An OSS project with a community version and a supported version is always fantastic - best of both worlds, but you still have to evaluate the potential longevity of the company offering the support for that system, just as you would for a proprietary solution, should you require it. If you use the community version, how active is their GitHub, mailing list etc. It’s the same kind of risk assessment.
Nothing is going to help you when any solution shits the bed and takes your prod systems down, paid, OSS/closed etc. Your COO/CFO/SEO will all be screaming at your back regardless. At least if you have some source you might have a shot a finding the bug yourself (eg in a debugger, or source biscetion etc).
I’ve never seem a support contract that would allow you to sue the software supplier for damages in the event of a failure. There’s always something that exempts the supplied from “consequential losses arising from the use of this software”, even MS have that!
L2TP document from MS 2021:
“Data Encryption Standard (3DES) provides confidentiality. 3DES is the most secure of the DES combinations
Secure Hash Algorithm 1 (SHA1), with a 160-bit key, provides data integrity. [Well, sort of…]
Diffie-Hellman … Group 2 (medium) is stronger than Group 1 (low).”
Sure, it says “Default encryption settings for the Microsoft L2TP/IPSec VPN Client” but what can it do if configured properly if DH2 is the “stronger” (LOL!!!) variant?
I found something about MacOS supporting this for L2TP as the max level:
Encryption: AES-256, Hashing: SHA-256, DH Group 14
I can live with SHA256 but not with DH14 for key exchange.
I did build that all myself. I don’t need P2P between VPN clients.
It’s really picky about how its built. You’ll want to set up BGP for sharing routes the way they want it, and I’ve had a very annoying time in the past getting it set up 1::1 to a Cisco ASA. Even then it tended to lock up and need to be reset on occasion. Building it to a virtual firewall of the same vendor alleviates pretty much all of the strain. Native is doable, it’s not completely terrible, but I will never willingly do it again.
Its not ‘pure’ ZTNA. It’s a VPN that brings users to a cloud-based FW. ZTNA done properly requires the ‘PEP’ (Policy Enforcement Point) to be done on the endpoint (i.e., microsegmentation, least privilege, posture checks, etc). Ideally, you should also be making outbound connections from source and destination, which, again, Prisma Access does not do.
This is why you should buy solutions built on open source so that you can transition it if they fail.
GP comes as a subcription you’ll need if you want mac/linux users or host information, other than that it’s “free” on the box. Consider the type of traffic your VPN users generate though; is it mainly backhauling to your DC’s or also to protect their internet outbreak?
If it’s also to protect their internet outbreak, consider Prisma Access so the internet connection takes a nearby hub/location for your users and doesn’t put double strain on your WAN links. Having all licensed features “included” in that license is a nice to have as well -the full license bundles can be a tad expensive on the 5200/5400 series.
52xx or 54xx are appropriate for larger numbers of GP users. You would want to buy the GP subscription for better features but it’s priced per box, not per user.
I dont know why you are being downvoted. Your responses are reasonable and I believe correct. Upvote from me.
If you have a outage you can get a conference call going with the vendor and the engineers which directly make the product vs what? Posting on a forum. Sorry its not about a executive getting off on it. Its about provide the best possible scenario to get a service impacting incident resolved. You can be the smartest person in the room but your not the one who can fix a hardware problem, patch a firmware bug etc of another vendors product.
I have worked in big corporate, big finance, big data center. No asset in production goes without a escalation list and a support contract. Every vendor has a contractual obligation to provide a escalation list from front desk to top executive. I have woken up many executives from (name the biggest vendors out there)
I got a call one day in my underwear to a no phones situation at a global financial institution literally thousands of employees have no phones. Took a look didnt understand it, 10 minutes later have the phone vendor and red hat on the line helping and about half a hour later vendor does some magic and redhat logged a bug. Countless stories like that.
If you want to support a thousand VPN users and reduce liability for your users, company, customers etc then get your agreements in place because chances are if you have a thousand users and plan on expansion the trivial price tag of such a agreement will save you money once shtf.