automated site to site vpn recommendations

Wed Jun 29 22:33:10 UTC 2016

My biggest issue with Meraki is the fundamentally flawed business model,
biased in favor of vendor lock in and endlessly recurring payments to the
equipment vendor rather than the ISP or enterprise end user.

You should not have to pay a yearly subscription fee to keep your in-house
802.11(abgn/ac) wifi access points operating. The very idea that the
equipment you purchased which worked flawlessly on day one will stop
working not because it's broken, or obsolete, but because your
*subscription* expired...

If you want wifi with a centralized controller there's lots of ways to do
it at either L2 (Unifi APs and Unifi controller reachable on the same LAN
segment as the Unifis, or with its own management vlan), or with Unifi APs
programmed to find a controller by hostname/IP address (L3).

On Wed, Jun 29, 2016 at 5:55 AM, Paul Nash <paul at nashnetworks.ca> wrote:

> My biggest issue with Meraki is that their tech staff can run tcpdump on
> the wired or wireless interface of your Meraki box without having to leave
> their desk.  I have no reason to believe that they are malicious, or in the
> pay of the NSA, but I am too paranoid to allow their equipment anywhere
> near me.
>
> Yes, they work well and the cloud control panel makes remote support a
> breeze; you have to decide how you feel about the insecurity.
>
>         paul
>
> > On Jun 27, 2016, at 6:28 PM, Dan Stralka <mrsyeltzin at gmail.com> wrote:
> >
> > I would second Meraki for the situation you describe. I don't feel that
> > they are the most capable platform, they're expensive, and don't always
> > present you with all the information you'd need for troubleshooting.
> > However, the VPN offers great dynamic tunneling, instant-on performance,
> > and are by far the simplest platform to offer a field person.  They're
> also
> > tenacious - I've had them connect to the cloud management platform and
> > build a VPN under some trying circumstances.
> >
> > From a security standpoint, they will offer features that will impress
> for
> > the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
> > tunnel control), and we've found they punch above their weight and their
> > APs perform fantastically.
> >
> > We deploy them worldwide many times per year in similar use cases,
> > sometimes with 150 users on the LAN. If your routing is simple, you can
> > define your security policies, and don't need crazy throughput on your
> VPN,
> > Meraki is the way to go.  Be careful though: they have to be continually
> > licensed to work and can get pretty expensive if you go for the higher
> end
> > gear.  Thus far, we've been able to stick to the cheaper stuff and
> > accomplish our goals.
> >
> > Dan
> >
> > (end)
> > On Jun 27, 2016 6:01 PM, "Karl Auer" <kauer at biplane.com.au> wrote:
> >
> >> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> >>> In some cases...
> >>
> >> The words "in some cases" are a problem with any supposedly plug and
> >> play solution.
> >>
> >>> We really could use a simple solution that you
> >>> just flip on, it calls home, and works...
> >>
> >> ...but still requiring someone to enter credentials of some sort,
> >> right? Otherwise you have a device wandering about that provides look
> >> -mum-no-hands access to your corporate network.
> >>
> >> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> >> for a wireless dongle or storage, and has a highly-scriptable operating
> >> system. Not a bad platform.
> >>
> >> Regards, K.
> >>
> >> --
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> Karl Auer (kauer at biplane.com.au)
> >> http://www.biplane.com.au/kauer
> >> http://twitter.com/kauer389
> >>
> >> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> >> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
> >>
> >>
> >>
> >>
>
>