back to article Cisco rations VPNs for staff as strain of 100,000+ home workers hits its network

Cisco was surprised by how quickly it needed to adopt a global working-from-home policy, amid the coronavirus pandemic, and is now rationing VPN use to safeguard its security. Speaking at the Cisco Live virtual event for the Asia Pacific and Japan region today, vice president of Cisco Customer & Seller Bailey Szeto said Cisco …

  1. Chris Hills

    Follow the moon

    Sounds like an opportunity for a new product, anycasted vpn endpoints.

    1. MatthewSt Bronze badge

      Re: Follow the moon

      Or use systems that don't need VPNs - https://twitter.com/clemensv/status/1245601835282354176

      We have some VPN access set up for a couple of systems, but these are using ZeroTier (and would work fine with WireGuard)

  2. big_D Silver badge
    Coat

    Licenses...

    Cisco can't afford all of those Cisco VPN CALs for all its employees.

    Mine's the one with the OpenVPN USB-stick in the pocket.

    1. s2bu

      Re: Licenses...

      I’m torn on your comment.

      I love the Cisco knock. But OpenVPN is so slow these days. Standard IPSec using IKEv2 or WireGuard are so much faster.

      1. big_D Silver badge

        Re: Licenses...

        I know, I thought of WireGuard, but OpenVPN gives the "free" in the name, WireGuard would probably still have raised too many "huh?"s

  3. Anonymous Coward
    Anonymous Coward

    Split Tunnelling

    “Split tunnelling” has also come in handy, we're told. This technique sees traffic that absolutely needs a VPN to reach internal resources take that route, while other traffic travels over the public internet to public-facing servers.

    Y'know, that technique everyone deploys on almost any VPN they've ever set up... because the last thing you need is 400 remote workers streaming cat videos on all day through the company's WAN connection...

    1. DreamEater

      Re: Split Tunnelling

      You'd like to think that, but somehow I've (with no qualifications etc, but just happened to grow up at the right time and annoy my parents enough by breaking and fixing our home computers, learnt enough to know what I'm doing) become our companies IT guy in the office when our outsourced guy can't get in (or can't be bothered to deal with half of it)

      So I suggested at the very start of this all to use split tunnelling for everyone, this was immediately rebuffed and told it would be fine... we managed to the 2nd day before management got fed up of the stupid video meetings being laggy as hell, now we have split tunnelling.

      I still can't fathom why they said no, I can only imagine it's because they would need to see every laptop, which is only around 40, and just didn't fancy doing it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Split Tunnelling

        Expert : You need X else Y will explode.

        Management having no clue: It will be fine!!!

        [Explodes]

        Management : [Pikachu face.jpg]

    2. gigabitethernet

      Re: Split Tunnelling

      Also from an employee perspective I would rather not have all my personal internet traffic routed through where I work. So please use split tunnelling system administrators.

      1. Richard Laval

        Re: Split Tunnelling

        One reason given for not allowing split tunnelling is to force all traffic through the company's monitoring and security systems. From a security point of view I can see the benefit but it is a pain in the ass when you have to keep disconencting the VPN so you can access your home lab etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: Split Tunnelling

          its also a pain if it prevents you from using local network resources. I cant access my printer from the VPN so end up emailing documents to a personal account I save for work then printing them from my own laptop, sat beside the work laptop. Good job I have a decent sized desk.

          Most of the corporate Security Guys I've worked with will only use split tunnelling for white-listed SAAS sites. Their view is if it's a company machine then they want to see all the traffic which could cause a security issue and retain audit capabilities of what staffers are doing with work resources.

          they are far more likely to blacklist sites than open things up more. For example several I've worked with have blacklisted shopping sites and social media sites.

    3. 9Rune5 Silver badge

      Re: Split Tunnelling

      I've been told that split tunnelling offers more safety, since... I don't know what their reasoning was, because after I realized I lost contact with my internal network at home (meaning I have to switch to another computer to diagnose local network issues) I reformatted my work laptop and installed our old OpenVPN based VPN instead.

      But other jerks in my past have also advocated disabling split tunnelling. Is there a best practices document somewhere that advocates this nonsense?

      1. katrinab Silver badge
        Thumb Up

        Re: Split Tunnelling

        Put a Virtual Machine with FreeBSD or Linux on one of your home servers

        Install OpenVPN and Nginx on it, plus any other stuff you need like ssh and sudo

        Configure OpenVPN to connect to your work network

        Configure Nginx using the stream directive to proxy the resources you need at work. In my case it is rdp and samba

        When you want to access a work resource, connect to your VM. rdp will give you a certificate error, but it will still work

        You will still be able to access everything in your home network as normal.

    4. katrinab Silver badge
      Paris Hilton

      Re: Split Tunnelling

      My approach at home to avoid personal traffic going through the VPN:

      A FreeBSD virtual machine that connects to the VPN

      A reverse proxy server on the VM that replicates the ports on my work systems

      When I want to access a work resource, I connect to the VM

      It also protects my home network from being accessed from the work network

      Linux would also work, but I'm a FreeBSD fangirl, and linux would use about twice as much RAM. RAM is the limiting capacity factor on my home servers.

  4. Anonymous Coward
    Anonymous Coward

    hardware

    I wonder if they had to buy any hardware from Huawei ?

  5. IGotOut Silver badge

    Networking company...

    ...can't do networking.

    Never saw Huawei doing the same.

    1. Aitor 1 Silver badge

      Re: Networking company...

      That is the reason they banned Huawei.. too good to compete on level terrain.

  6. Irongut Silver badge

    > staff at home were using the corporate VPN to connect into internal work systems as well as public-facing services.

    So Cisco can't do basic VPN setup. I'm not surprised, I had the misfortune to use a Cisco VPN a few years ago and any other solution is easier to configure and use.

  7. Paul Crawford Silver badge

    Webex

    Maybe they will fix the dog-turd sucking that is Webex now they are forced to use it for themselves?

    You know make it properly cross-platform, make it "just work" using any of the major web browsers, make it do all of the checks needed before the fsking start of the meeting so you don't have to install some new crap plug-in that needs admin privileges that you don't necessarily have for your work laptop during the first 10 minutes, etc, etc.

    1. ecofeco Silver badge

      Re: Webex

      One can dream, but don't hold your breath.

  8. Oneman2Many

    Pre crisis Cisco VPN user here with 100,000 users and of course WebEx. Couldn't move away from those fast enough. Normally, it would have needed a year to approve the alternative VPN we were testing, managed to get approval and rollout done in 5 days. MS teams should be switched on next week.

    1. Happytodiscuss

      Anxious to find out how Teams will work?

      I recently watched a system admin set up Teams, over a three hour period, for my wife's work from home access. They did set it up remotely and they wanted to allow RPC in order to perform the set-up on the new ASUS high quality laptop (I7, 12 GB RAM, Win 10 professional). Tons of bandwidth. The set-up took three hours and required RPC to remain open even after completion.

      How well is Teams integrated into MS infrastructure?

      They who set it up are a service provider, and while they don't keep accurate records and do tend to knowledgeable, they seem to be able to make things work when required local or remotely, so there is that. My wife's firm is 40 people and use technology gingerly.

      From a cold boot until the full version of Teams along with the Office 365 is loaded and ready takes about 10 minutes. Again we have lots of bandwidth, they appear to use some kind of Cisco switch (sorry I just realized they are using the Cisco VPN which is probably overworked right now and for the forseeable future) Is this the normal set-up and boot-up time you are seeing in your set-up?

      I am being curious is all.

      1. katrinab Silver badge

        Re: Anxious to find out how Teams will work?

        If you have Office365, installing Teams is:

        Visit office.com

        Log in using your O365 credentials

        Click on the Teams Icon

        You get Teams in a web browser, and you could use that

        Click on "Download Desktop App" in the bottom left corner

        Install it like any other windows/mac application

        Log in to that using your O365 credentials

        Or on your phone, download it from the app store, and log in using your O365 credentials

        On my mid 2010 MacBook Pro, it takes about 20 seconds to load, log in etc. Skype takes 8 seconds, Whatsapp desktop takes 10 seconds

        1. Oneman2Many

          Re: Anxious to find out how Teams will work?

          Depends on if your organisation has switched it on or not.

      2. Oneman2Many

        Re: Anxious to find out how Teams will work?

        We already have Office365 for most of the employees along with OneDrive and private SharePoint. Teams is a flick of a switch to enable. Integration is fine with rest of MS productions, for most people its just another collaboration tool. Like most enterprises the issue is that different teams go ahead and implement their own tools based on prior or personal experience and that just leads to fragmentation. God knows how much of the company is using WhatsApp for communicating.

        1. katrinab Silver badge
          Megaphone

          Re: Anxious to find out how Teams will work?

          We are using Whatsapp to bitch about the bosses and general gossip, Teams for internal work related stuff, and Skype for external communications.

          1. Oneman2Many

            Re: Anxious to find out how Teams will work?

            What, no Yammer or Slack ?

  9. Anonymous Coward
    Anonymous Coward

    Perhaps they should consider deploying Fortigate :)

    With various functions implemented in hardware no other vendor can come close to matching their performance per $. You have to put a very big cisco, palo alto or checkpoint up against a mid range Fortigate to match its performance.

    1. rcxb Silver badge

      no other vendor can come close to matching their performance per $.

      Open Source VPN software on an old server running Linux is nearly zero cost... Be it OpenVPN, WireGuard, OpenConnect/ocserv, isakmp, etc. Easily beats everything else on performance/$$$ metrics.

      1. mark239

        You're not going to be able to support 200,000 simultaneous connections to an old server with as little admin overhead.

  10. This post has been deleted by a moderator

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020