Network Computingwww.networkcomputing.com

Unfortunately, that's not the only ramification: In addition to savings, you'll encounter new costs, not the least of which is the hardware. And factors such as integration into the existing network, maintenance of client software, migration from modem- based remote access to a VPN and end-user retraining all demand your consideration.

We tested four VPN gateways that are targeted at serving remote users, whether those users are traveling, calling in from home, or connecting to a trading partner's site. Our criteria called for products that can support multiple VPN protocols--IPsec (IP security), L2TP (Layer 2 Tunneling Protocol), L2F (Layer 2 Forwarding), PPTP (Point-to-Point Tunneling Protocol) and/or proprietary protocols--within a single device and are capable of sustaining 1,000 users or more. Making the cut were Altiga Networks' VPN Concentrator C50, Indus River Networks' RiverWorks Enterprise VPN, Intel Corp.'s LanRover VPN Gateway and 3Com Corp's PathBuilder S580 Switch (a.k.a. TunnelServer), which went head-to-head in our Syracuse University Real-World Labs®.

Missing from our tests was Compatible Systems Corp., which didn't support multiple VPN protocols at the time of our testing. Both Nortel Networks and Cisco Systems declined to participate. The raison du jour? They both claimed they lacked the resources necessary to support a competitive review. Sounds to us like they don't have confidence in their products without expending lots of resources babysitting our tests. So here's an open invitation to Nortel and Cisco: When you think you can compete, we'll test your products. Maybe you should ask them when they'll be ready.

What We Tested
The process of managing remote users over a VPN is remarkably similar to doing so over a modem. With both, you need to allocate addresses, authenticate users, track usage and troubleshoot connections. During our tests, we examined each of these capabilities on the management stations and gateways and were pleasantly surprised by the products' range of functionality.

Altiga's C50, which won our Editor's Choice award, has a great overall management architecture with configuration options laid out in a logical tree structure, a hierarchical profile management and excellent troubleshooting tools. Indus River's RiverWorks excels at supporting remote users with its automated client configuration tool, automated client policy updates and unique feature of supporting a database of local POP (point of presence) numbers for national ISPs.

3Com's PathBuilder offers more than just remote VPN connectivity, but its remote-user support is fairly standard, including support for RADIUS (Remote Authentication Dial-In User Service) attributes for PPTP users. Unfortunately, 3Com's client wasn't ready in time for our tests. Intel's LanRover client is on par with Indus River's, with the exception of the POP-database support.

The Importance of RADIUS
RADIUS support for remote users is key. This is especially true when you're supporting users with PPTP because many of the configuration options are used for traditional remote access, and RADIUS accounting is widely deployed. Layer 3 protocols, compression and encryption all need to be negotiated. If you are managing a dial-up pool with RADIUS, most of the work is probably done. Configuring IPsec clients, on the other hand, requires a bit more work. Depending on the vendor and equipment you choose, you may find that RADIUS support does not extend beyond simple authentication. For instance, Altiga's C50 uses both standard RADIUS attributes for network addressing and vendor-specific attributes for additional configuration options, such as encryption and authentication algorithms. Indus River's RiverWorks and Intel's LanRover use RADIUS for authentication only.

Troubleshooting connections is also crucial for successful VPN management. When a user calls support complaining that he or she can't get a network connection, the more information available to the support person the better. We find it interesting that vendors with a strong background in traditional remote access also have good troubleshooting tools, while traditional IPsec vendors typically do not. During our tests, we had ample opportunity to test the troubleshooting tools on the gateways and clients. Altiga's C50, Indus River's RiverWorks and Intel's LanRover all exhibited good troubleshooting in their GUIs, though the C50 had the most extensive system of all. For troubleshooting with the 3Com PathBuilder, we needed to get on its console--a somewhat cumbersome task that was complicated by the fact that much of the detailed PPP output was in hex.

One of the big differentiators in troubleshooting is on the client side. Let's face it, the majority of remote users don't care about the details of networking, nor should they. Systems should just work, and when they don't, the reason needs to be clear. The task is formidable, but Indus River and Intel have done a good job presenting useful information to users in the GUI. This not only helps the user understand the failure, but also helps the support person troubleshoot the connection. Altiga's client offers some troubleshooting to end users, but the messages are more likely to cause head scratching than anything useful.

Understanding Performance
VPN gateway performance is pivotal in a VPN installation, and here again we see lots of variation. Performance issues include the ability to support large numbers of users, push packets through the hardware, and encrypt packets, passing through.

Much as you need to do with traditional remote access, you need to scale your VPN gateway accordingly. If we use the rule of thumb of eight users per port, then the gateways in this roundup can support a user population ranging from a respectable 8,000 users (with the Intel LanRover supporting 1,000 concurrent connections) to a whopping 40,000 users (with Altiga's C50 supporting 5,000 concurrent connections). But as we discovered during our testing, that doesn't mean all users will see good performance.

We found we could bring up 1,000 PPTP connections on the Indus River RiverWorks, but we were unable to send data down each client reliably. At a maximum of 7.5 Mbps total, we find it hard to believe it can really support more than a few hundred concurrent users. Indus River's response to our questions about its product's poor performance was that it is scaled to support a few T1s' worth of bandwidth. Altiga's C50 and 3Com's PathBuilder handled our 1,000 connections with aplomb, passing data without a hitch.

Both the Altiga C50 and the 3Com PathBuilder passed IPsec data at 79 Mbps and 71 Mbps, respectively, while the Intel LanRover poked along at 5.6 Mbps. Indus River currently doesn't support LAN-to-LAN IPsec, so RiverWorks was not included in that aspect of our tests. The performance of both the Altiga and 3Com gateways shows that they are scaled for nearly every application, while the Indus River RiverWorks and the Intel LanRover are scaled for lower bandwidth applications.

When all was said and done, Altiga's C50 stood out as the clear winner. Strong management, excellent performance and detailed troubleshooting tools sped it to the top. And it's not just about a pretty GUI. Altiga put substantial effort into designing its Web-based management capabilities so administrators can effectively manage the C50 with minimal effort.

3Com's PathBuilder came in a distant second mainly because of weaker management. If you've got a 3Com shop running Transcend, the PathBuilder will fit in nicely. Otherwise, you'll have to learn EOS (Enterprise OS). But when you do master EOS, you'll have the most versatile VPN gateway we have seen in our labs.

Indus River and Intel's products bring up the rear primarily because of performance; they are not scaled to the same bandwidth as either Altiga's C50 or 3Com's PathBuilder. Both Indus River and Intel offer good clients and client support, though Indus River really comes out on top in this area. In fact, if we could combine Altiga's management, 3Com's versatility and the Indus River client in one package, we would have no need to look elsewhere.