Network Computingwww.networkcomputing.com

VPNet Technologies VPNware System VSU-1100
VPNet has focused tremendous energy on making a system that simplifies VPN management, integrates seamlessly into the network and leverages common network services. And it has found much success. Even though the management capabilities are still hobbled by Java in a Netscape Navigator 3.05 browser, there is little to detract from the VPNware System VSU-1100. It provides a straightforward management system that is easy to navigate and intelligently distributes VPN policy configurations to gateways. Nearly every process from initial configuration to CA enrollment is clear-cut and carefully designed.

The VSU-1100 is no slouch when it comes to pushing packets either. Even running 3-DES encryption and MD-5 authentication, the VSU-1100 topped out at 81-MBps throughput. RedCreek's Ravlin 7100 was the only competitor close, at 79 MBps. But, of course, no system is perfect. We occasionally had to refresh the VSU-1100 configuration when making changes and its event logging desperately needs help. VPNet said it is aware of these problems and will address them in version 3 of VPNware. The benefits far outweigh the problems, however--and you'll have to pay a premium for it. The VSU-1100 is priced at $7,000 more than TimeStep's Permit/Gate 7520, but throw in 1,000 clients and its price is on par with Assured Digital's ADI-4500.

Dropping a device into your network without disruption is no mean feat, but the VSU-1100 proved to be up to the task. Like most of the other products that we tested--with the exception of the Assured Digital ADI-4500--the VSU-1100 is able to sit transparently next to a router or act as a router. The flexibility is important because renumbering a subnet is a difficult and time-consuming task; transparent installation helps ease the transition.

Likewise, with the VPN gateway acting as a router you can add subnets without increasing the router ports. Because the VSU-1100 can pass data in the clear, you can much more easily add services where they're needed. Unfortunately, we found passing data in the clear difficult with the VSU-1100 because we could slice our subnet only based on bitwise boundaries similar to subnetting an IP network. This is needlessly complicated and may require you to reconfigure your hosts to place them into subnet ranges. Like other VPN devices, with the exception of RadGuard's cIPro-VPN, you are better off positioning your management station and servers outside the VPN if possible.

VPNet's model for configuring VPN is relatively risk-free. Within VPNmanager, we grouped together subnets that were to participate in the VPN and assigned each group to a specific VSU. We then created the VPNs by combining groups and setting the encryption policies. Once complete, VPNmanager pushes the configuration out only to the affected VSUs. We also configured multiple VPNs between the same VSU-1100 with differing levels of encryption. Only cIPro-VPN could manage this task.

Support for existing services is well implemented in the VSU-1100. Leveraging a RADIUS server for remote user authentication or syslog for logging is not a problem. Even certifying with a CA was relatively painless. From the VPNmanager suite, we generated a PKCS #10 certificate request and transported it to our Entrust CA by floppy disk. We certified the request and carried the file back to the VPNmanager.

However, we ran into a problem when we tried to import the certificate. When Entrust 4 generates a signed certificate, it doesn't enter in the begin and end certificate lines, a common but optional practice. Therefore, when we tried to import the signed certificate, the VSU-1100 incorrectly perceived it as a PEM (Privacy Enhanced Mail)-encoded file and wouldn't parse the file. We had to enter in the lines manually, and then the certificate was accepted. According to VPNet officials, they will address this issue in the future.

VPNet has enhanced its client support. Configuration files can now be downloaded dynamically when the user connects to the VSU. Client installation is painless, as was the case with all the products we tested. We initially used a configuration file that we exported to a file. We simply started the client and pointed it to the appropriate configuration file.

We next used the dynamic download feature, which requires a user to supply login credentials as well as the VSU certificate name. Once the user is connected, the client is configured. This is an excellent option for traveling users who share a pool of laptops.

VPNware System VSU-1100, $17,995 for hardware only, VPNet Technologies, (888) VPNET-88, (408) 445-6600; fax (408) 445-6611. www.vpnet.com or info@vpnet.com