***: mnathani has quit IRC (Ping timeout: 246 seconds)
ziyourenxiang has joined #arpnetworks
ziyourenxiang has quit IRC (Changing host)
ziyourenxiang has joined #arpnetworks
BryceBot has quit IRC (Ping timeout: 240 seconds)
BryceBot has joined #arpnetworks
mnathani_: anyone know how to deploy rsa-token for use with vpn software, small business so no real servers just a bunch of workstations
randallschwarts is missing, but thanks for the linkedin connect
***: gizmoguy has quit IRC (Ping timeout: 240 seconds)
gizmoguy has joined #arpnetworks
plett: mnathani_: Actual RSA tokens? Or would any two-factor auth work? Also what vpn software?
If both are free choices, OATH tokens like Google Authenticator have a PAM module which can be hooked up to OpenVPN on Linux
***: ziyourenxiang has quit IRC (Quit: Leaving)
mnathani_: plett: I was looking at using Cisco ASA firewall for the VPN hardware
plett: No OpenVPN then
mnathani_: nope
plett: Do you have ASAs already, or are you going to be buying hardware for it?
mnathani_: buying
5505 is what I am looking at currently
plett: Unless you have a hard requirement for ASAs specifically, I'd look at a software solution instead
chrismsnz: we use openvpn with 2fa totp on linux, works fine
cert auth with totp as password
duo have a solution too
plett: That's not to say that ASAs don't work, they're very good at what they do. But you can get a lot more bang for your buck in a much more flexible package by buying a pair of 1U servers and doing it in software. CPUs these days have hardware offloading of crypto operations, which makes nice and fast
chrismsnz: friend of mine had a pair of openbsd boxes for vpn termination, both died hours before 10 years of uptime
hahaha
rip
plett: And I've had pairs of failover ASAs both fail at the same time :)
mercutio: even without hardware offload of crypto modern cpus are pretty good at it.
with 10 year servers it's not uncommon to turn them off then find they won't turn on again
if they haven't been power cycled recently.
Well at least that was my experience years back.
I haven't seen a computer that's been used for 10 years any time recently.
***: carvite has quit IRC (Ping timeout: 250 seconds)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
medum_ has quit IRC (Ping timeout: 250 seconds)
dj_goku_ has quit IRC (Ping timeout: 250 seconds)
toeshred has quit IRC (Ping timeout: 250 seconds)
medum has joined #arpnetworks
toeshred has joined #arpnetworks
dj_goku has quit IRC (Remote host closed the connection)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
brycec: FYI up_the_irons, mercutio - Upgraded zeit to Debian Jessie, and finally got around to setting up firewalling on it. Let me know if you have any problems with it. (It's set to allow incoming NTP connections obviously, rate-limit incoming ssh, monitoring connections from me, ping, and only allows outbound packets/connections to its upstream NTP servers, its configured DNS servers, apt-get updates and
sending mail.)
mercutio: heh zeit has a lot of free ram
brycec: I have no idea why up_the_irons gave it 2GB. It could run on 256MB quite easily.
It's currently using 108MB (not counting cache etc)
***: rendrag_ has quit IRC (Ping timeout: 240 seconds)
mercutio: how is debian apt-get with 256mb ram?
ubuntu with 256mb is pushing it these days