|F E A T U R E|
IPSec VPNs: Take Us To the Pilot
September 20, 1999
By Mike Fratto
While it's true that VPNs (virtual private networks) are still relatively new, our tests uncovered some major improvements that should make you stand up and take notice. If you are thinking about installing a VPN in the future, it's time to get to work on a pilot project. The products and protocols have matured sufficiently to be usable in a production environment--though installation and management is still no small task, especially as the number of VPN gateways continues to grow.
IPSec defines a set of protocols and cryptographic algorithms for creating secure IP traffic sessions between IPSec gateways. At this point, the IPSec protocol suite is fairly mature. It provides basic functionality, and a number of products have been certified as interoperable by the ICSA using preshared secrets and IKE (Internet Key Exchange). In the course of several industrywide bake-offs and with the help of the ICSA, we've seen strides made toward solidifying certificate-based IKE as well. While work on remote-access support is under way in the IETF, standards still have not come of age, so stick with a single-vendor solution for now.
We tested five hardware IPSec products that support certificate-based IKE and Fast Ethernet: Assured Digital's ADI-4500, RadGuard cIPro-VPN, RedCreek Communications' Ravlin 7100, TimeStep Corp.'s Permit/Gate 7520 and VPNet Technologies' VPNware System VSU-1100. Both Check Point Software Technologies and Cisco Systems declined our invitation to participate because they were between product cycles. Intel Corp. declined because it is focusing on the remote-access VPN market and not LAN-to-LAN VPN.
Other notable absentees are Xedia Corp. and Network Alchemy. Xedia declined to take part in our tests, saying that its QVPN is more than a VPN device and doesn't compete against the other vendors. Network Alchemy, the upstart with a self-proclaimed performance advantage, bowed out because we weren't planning to focus on its touted strength--IP clustering.
The keys to a successful VPN rollout are strong management tools and methods, and good reporting. Face it, constructing VPNs is complex and tedious. If you make a simple misconfiguration, or mistype an IP address, you will be cut off from the rest of the network.
Regardless of the vendor, the process of constructing VPNs is similar: Determine the networks that participate in the VPN, configure the policies and routing tables on the VPN gateways, and distribute the keys. The mechanics of setting up a VPN, on the other hand, vary greatly and the way you do it will affect the manageability of VPN devices.
ADI and VPNet offered the simplest and least error-prone approaches to VPN configuration. Within the management station, you define the networks and the security requirement, and the management software determines which devices need to be updated. RadGuard, RedCreek, and TimeStep required us to touch each and every VPN device to configure the VPN policies. While that's acceptable for small installations, can you imagine having to re-enter the same information into 20 or more gateways? Both TimeStep and RadGuard try to simplify the process by creating policy tables that can be uploaded to VPN gateways--assuming you have similar configurations everywhere.
Reporting for management purposes and troubleshooting varies significantly with each vendor. Both TimeStep and VPNet offered good reporting information, which came in handy while troubleshooting connectivity problems. RadGuard and ADI were fairly weak in reporting; their messages were rather sparse and cryptic, and not very informative at first glance.
A Year of Improvements
As in traditional remote access, there are two client-support issues you need to face--centralized management and the end-user interface. Centralized management focuses on user management and configuration. Integration into RADIUS for user authentication and configuration lets you leverage existing user databases such as NT Domains and Novell NDS. ADI, RedCreek, VPNet and RadGuard all support RADIUS, though RedCreek supports VPN configuration through specific RADIUS attributes. If you are supporting a sizable user population, RADIUS is a must unless all users are employing certificates. The quality of client software is equally important--supporting end users is difficult enough without adding to the burden. All the clients we tested were relatively simple to use, and we were able to configure them from remote locations.
While good management and performance are important, VPN gateways don't exist in a vacuum. They need to be dropped into a network with the least amount of disruption possible and they need to leverage existing services. Seamless integration is crucial. With the exception of the ADI 4500, all the devices we tested supported both transparent installations (analogous to a bridge for IP traffic) with the same subnet on both sides of the gateway and router installation with different subnets on each side of the gateway. You can install the configuration you need with no disruption to your network. ADI supports only router installation, which means you will need to get an external IP address or renumber your internal network. Neither option is appealing. Of course, management becomes an issue if your management station needs to be on the public side of the VPN gateway as well as any servers that the VPN gateway uses, such as CA or RADIUS servers.
The VPNet VPNware System VSU-1100 walked off with our Editor's Choice award, thanks to its combination of strong management, smooth integration into network systems and services, and good client management. The TimeStep Permit/Gate 7520 trailed VPNware, primarily because its management is still cumbersome, its throughput was not on par with VPNware--or RedCreek's Ravlin 7100, for that matter--and TimeStep charges a relatively high price for a single gateway and 1,000 clients. The ADI-4500 and the Ravlin 7100 were in a neck-and-neck race for third place, with both offering well-conceived management and performance, but lacking key features. The ADI-4500 tripped up in the area of integration, while the Ravlin 7100's management capabilities are spartan. However, at the price of $17,500 for the unit and 1,000 clients--a price lower than that of a single VPNet VSU-1100--the Ravlin 7100 earns our Best Value award.
|PAGE: 1 I 2 I 3 I 4 I 5 I 6 I 7 I 8 I 9 I 10 I NEXT PAGE|