Network Computingwww.networkcomputing.com

We tested five hardware IPSec products that support certificate-based IKE and Fast Ethernet: Assured Digital's ADI-4500, RadGuard cIPro-VPN, RedCreek Communications' Ravlin 7100, TimeStep Corp.'s Permit/Gate 7520 and VPNet Technologies' VPNware System VSU-1100. Both Check Point Software Technologies and Cisco Systems declined our invitation to participate because they were between product cycles. Intel Corp. declined because it is focusing on the remote-access VPN market and not LAN-to-LAN VPN.

Other notable absentees are Xedia Corp. and Network Alchemy. Xedia declined to take part in our tests, saying that its QVPN is more than a VPN device and doesn't compete against the other vendors. Network Alchemy, the upstart with a self-proclaimed performance advantage, bowed out because we weren't planning to focus on its touted strength--IP clustering.

The keys to a successful VPN rollout are strong management tools and methods, and good reporting. Face it, constructing VPNs is complex and tedious. If you make a simple misconfiguration, or mistype an IP address, you will be cut off from the rest of the network.

Regardless of the vendor, the process of constructing VPNs is similar: Determine the networks that participate in the VPN, configure the policies and routing tables on the VPN gateways, and distribute the keys. The mechanics of setting up a VPN, on the other hand, vary greatly and the way you do it will affect the manageability of VPN devices.

ADI and VPNet offered the simplest and least error-prone approaches to VPN configuration. Within the management station, you define the networks and the security requirement, and the management software determines which devices need to be updated. RadGuard, RedCreek, and TimeStep required us to touch each and every VPN device to configure the VPN policies. While that's acceptable for small installations, can you imagine having to re-enter the same information into 20 or more gateways? Both TimeStep and RadGuard try to simplify the process by creating policy tables that can be uploaded to VPN gateways--assuming you have similar configurations everywhere.

Reporting for management purposes and troubleshooting varies significantly with each vendor. Both TimeStep and VPNet offered good reporting information, which came in handy while troubleshooting connectivity problems. RadGuard and ADI were fairly weak in reporting; their messages were rather sparse and cryptic, and not very informative at first glance.

A Year of Improvements
When we looked at performance, we saw a marked improvement compared with last year's products, which supported 10 Mbps (see "IPSec-Compliant VPN Solutions: Virtualizing Your Network," www.networkcomputing.com/918/918sp2.html). Both VPNet and RedCreek pushed data along at nearly 80 Mbps, with ADI and TimeStep coming in a bit slower. (For more details, see "How We Tested," at right.) While most networks won't see sustained utilization exceeding 80 percent, burst traffic can certainly reach that level. For the most part, VPN construction took little more than one second to complete. As expected, remote-access performance from the desktop was very high for dial-up connections. We were unable to test RadGuard's cIPro-VPN despite spending numerous hours on the phone trying to get to the bottom of the problem. While everything was configured properly and the VPN negotiated, throughput was dismal; it ground to a halt after approximately 10 seconds.

As in traditional remote access, there are two client-support issues you need to face--centralized management and the end-user interface. Centralized management focuses on user management and configuration. Integration into RADIUS for user authentication and configuration lets you leverage existing user databases such as NT Domains and Novell NDS. ADI, RedCreek, VPNet and RadGuard all support RADIUS, though RedCreek supports VPN configuration through specific RADIUS attributes. If you are supporting a sizable user population, RADIUS is a must unless all users are employing certificates. The quality of client software is equally important--supporting end users is difficult enough without adding to the burden. All the clients we tested were relatively simple to use, and we were able to configure them from remote locations.

While good management and performance are important, VPN gateways don't exist in a vacuum. They need to be dropped into a network with the least amount of disruption possible and they need to leverage existing services. Seamless integration is crucial. With the exception of the ADI 4500, all the devices we tested supported both transparent installations (analogous to a bridge for IP traffic) with the same subnet on both sides of the gateway and router installation with different subnets on each side of the gateway. You can install the configuration you need with no disruption to your network. ADI supports only router installation, which means you will need to get an external IP address or renumber your internal network. Neither option is appealing. Of course, management becomes an issue if your management station needs to be on the public side of the VPN gateway as well as any servers that the VPN gateway uses, such as CA or RADIUS servers.

The VPNet VPNware System VSU-1100 walked off with our Editor's Choice award, thanks to its combination of strong management, smooth integration into network systems and services, and good client management. The TimeStep Permit/Gate 7520 trailed VPNware, primarily because its management is still cumbersome, its throughput was not on par with VPNware--or RedCreek's Ravlin 7100, for that matter--and TimeStep charges a relatively high price for a single gateway and 1,000 clients. The ADI-4500 and the Ravlin 7100 were in a neck-and-neck race for third place, with both offering well-conceived management and performance, but lacking key features. The ADI-4500 tripped up in the area of integration, while the Ravlin 7100's management capabilities are spartan. However, at the price of $17,500 for the unit and 1,000 clients--a price lower than that of a single VPNet VSU-1100--the Ravlin 7100 earns our Best Value award.