I was driving home tonight and saw a tweet from Ethan Banks (@ecbanks) that stated, “After all these years of IPSEC (a standard, after all), bringing up a tunnel between disparate vendors is one of the hardest tasks I do." When I see these kinds of statements and have these thoughts myself, I think, there is clear problem, do others have the same problem, is this a problem looking for a solution, and can be there be a better way? In this particular case, it’s definitely a problem, but can there be a better way? Can we view this as an example where the network and security industry has been okay with mediocrity? Maybe.
Why just maybe?
Simply put – because each vendor has VPN wizards and GUIs to try and simplify the process of creating site to site VPN tunnels. Vendors listened and wizards were created. I often hear good things about these wizards, but they fall short for working across multi-vendor deployments.
Where can we improve?
As Ethan said, “between disparate vendors” specifically. But, every vendor is using IPSec, so what’s the complication? We know implementations vary, nerd knobs need to be turned, and this doesn’t always go as planned. I often hear negative remarks from the delivery team or customers about this. Consulting dollars usually go up when it’s a multi-vendor IPSec deployment so the recommendation is usually, let’s keep it simple and try and have the same platform on each site of the tunnel. Unfortunately, we live in the real world and that’s always not the case.
How can we improve?
Wait for it….can SDN, programmability, open source, or just some good collaboration be the answer?
Not feeling this just yet, what if the MSSP or general web site had a portal where you entered the data of each device type, you clicked submit, and the output were the commands or steps needed to configure the VPNs on each side? Who would create such a site? There is enough brain power on the interwebs that shouldn’t actually be too hard – it could even be wiki-like.
Think different. Start taking note of your problems and wish lists. If you don’t publicize these problems or wish lists, nothing will change. At the very least, send your problems to me! Write in and let me know what else drives you crazy. Is it configuring certain features or is it checking certain ‘show’ commands repeatedly? Let me know!
Thanks,
Jason
Twitter: @jedelman8
Simply put – because each vendor has VPN wizards and GUIs to try and simplify the process of creating site to site VPN tunnels. Vendors listened and wizards were created. I often hear good things about these wizards, but they fall short for working across multi-vendor deployments.
Where can we improve?
As Ethan said, “between disparate vendors” specifically. But, every vendor is using IPSec, so what’s the complication? We know implementations vary, nerd knobs need to be turned, and this doesn’t always go as planned. I often hear negative remarks from the delivery team or customers about this. Consulting dollars usually go up when it’s a multi-vendor IPSec deployment so the recommendation is usually, let’s keep it simple and try and have the same platform on each site of the tunnel. Unfortunately, we live in the real world and that’s always not the case.
How can we improve?
Wait for it….can SDN, programmability, open source, or just some good collaboration be the answer?
- What if a controller brokered the setup of these tunnels and the controller was aware of the nuances of particular IPsec setups to dynamically provision the nerd knobs or “gotchas?”
- What if this controller was a hosted out of band service that existed somewhere on the Internet of Everything (#IOE)?
- What if all you had to do is give the controller/hosting provider your public IP and access to your VPN device to be allowed to create the tunnel? Each party would do this and in minutes the tunnel would be setup.
- Can this be a service that Managed Security Service Providers (MSSP) can offer?
Not feeling this just yet, what if the MSSP or general web site had a portal where you entered the data of each device type, you clicked submit, and the output were the commands or steps needed to configure the VPNs on each side? Who would create such a site? There is enough brain power on the interwebs that shouldn’t actually be too hard – it could even be wiki-like.
Think different. Start taking note of your problems and wish lists. If you don’t publicize these problems or wish lists, nothing will change. At the very least, send your problems to me! Write in and let me know what else drives you crazy. Is it configuring certain features or is it checking certain ‘show’ commands repeatedly? Let me know!
Thanks,
Jason
Twitter: @jedelman8
RSS Feed
