In article , Mike Begin wrote: :I am really focusing on :selling against VPN solutions and was wondering if anyone could point me in :the right direction where I could obtain some collateral materials.
Your private network solution has a couple of advantages that come to mind:
- larger MTU -- indeed, with the right end-to-end equipment, you might be able to support the full normal ethernet MTU. That could be quite important to some people, if their equipment does not support Path MTU Discovery and they have reasons for not lowering their per-host MTUs -- not having to fragment packets is important to some clients.
- Urrr, a different emphasis on the above: even where fragmenting packets to fit the effective VPN tunnel MTU does not lead to network problems, fragmentting over a VPN can be inefficient
- Lower-end VPN devices often don't support Layer 2 tunnelling: your private-vlan solution should, allowing extended networks with a shared IP space. IPSec -requires- that network-extension mode be used only point to point: in a configuration in which you are accessing a "security gateway", you have to use the full proxy configuration.
- Your private-vlan solution should be able to handle non-IP traffic. L2TP should be able to do this to, but you have to look carefully to determine whether given VPN equipment will act as a L2TP client and server. For example, the PIX firewalls are fundamentally IP devices; carrying non-IP traffic such as IPX or AppleTalk or custom frames requires encapsulation before hitting the PIX.
And of course there are a couple of substantial advantages for management purposes:
- Your company takes care of all of the implimentation details, so that your customers can concentrate on their core expertises. Particularily if you have multiple sites involved, setting up a VPN is not trivial... not if there is real security involved.
- Going private VPN instead of internet VPN means your clients do not need to put up a firewall for that connection (except to protect against internal traffic, which can be a serious concern) -- and, correspondingly, do not need to monitor the firewall logs and figure out what to -do- with the tens of megabytes a day of people hammering on their firewall.