Targeted for the small-office market, Cisco Systems VPN 3005 Concentrator offers digital certificates for LAN-to-LAN and remote-access VPNs (virtual private networks), advanced VPN configuration, and automatic log-file backup via FTP. At 1U in height, with support for up to 100 users and priced at only $4,000, the VPN 3005 Concentrator delivers an excellent mix of firewall, authentication and network routing features typically not found in similarly targeted devices. If you already own one of the large devices in the VPN 3000 line, you won't face a learning curve, because the software running the system is practically identical.
Unlike other models in the line, none of the hardware in the VPN 3005 Concentrator is field-replaceable and all the encryption is handled in software: It's meant for plug-and-play installations. A typical configuration includes two autosensing 10/100 Ethernet interfaces. By press time, a factory-installed dual T1 CSU/DSU (channel service unit/data service unit) module should also be available.
Simple and Secure
The configuration wizard walked me through the basic configuration of the VPN 3005. Once the setup was complete, I had my networking in hand: A basic security policy was in place, and I could begin to manage it through the Web interface. Unlike my experience with previous versions of the VPN 3000 software, I was able to connect via SSL (Secure Sockets Layer), thereby protecting the communications from intruders. Well thought-out and easily navigated, the VPN 3005's management interface put at my fingertips everything necessary to configure the unit.
To begin testing, I created a certificate-based IPsec (IP security) VPN between the 3005 and a VPN 3060. The VPN 3005 supports the common signing algorithms DSA (Digital Signature Algorithm) and RSA (Rivest-Shamir-Adleman) as well as common certificate formats DER and Base64. I used certificates from the Microsoft Interop Test Certificate Authorities Web site.
The first step was to add the CA (certificate authority) root certificate onto the VPN 3005. I downloaded the file from the CA and uploaded the certificate to the VPN 3005. I then generated a certificate and submitted the request via a Web browser to the CA. After I received the signed certificate request, I submitted it to the VPN 3005 and was ready to install the VPN. Remarkably, this process was entirely foolproof and error-free.
The VPN 3005 can also retrieve CRLs (certificate revocation lists) via LDAP, but we were unable to test this feature because Microsoft's test site supports only CDP (CRL distribution points). Missing is a method for manually uploading CRLs into the VPN 3005. While it's not a scalable solution, manual update is a stopgap measure when LDAP queries temporarily fail. Also missing is any form of online enrollment, though that is not unique to the 3005.
Setting up the remaining VPN parameters was equally straightforward. I selected a common encryption/authentication algorithm combination: 3DES with MD5 in tunnel mode.
A new feature I appreciated is the ability to generate named network lists, which I created on the fly. Network lists combine different subnets and hosts into a single group that is then used in filtering rules and VPN configuration.
Support for Autodiscovery
The software on the VPN 3005 supports remote network autodiscovery. Using RIP (Routing Information Protocol) v.1 or v.2, the VPN 3005 can advertise routes to other VPNs, removing the need to manually add or remove networks from VPNs as the topology changes. The VPN 3005 also supports Microsoft Windows 2000's L2TP (Layer 2 Tunneling Protocol) with IPsec, as well as Network Associates' PGP VPN Client 6.5.x. To connect Windows 2000 clients to the VPN 3005, I was forced to create a special user group, because Windows 2000 tunnels L2TP with IPsec. This configuration required me to add specific parameters for the L2TP setup.
Packets and Performance
I used Netcom Systems SmartBits 2000 to test the performance of the VPN 3005, and Netcom's SmartApplications to test the throughput over the VPN. I used five packet sizes, ranging from 128 bytes to 1,280 bytes of data.
When handling the large packet sizes, the VPN 3005 pushed slightly more than 3 MB per second of data, while performance with the smaller packet sizes amounted to less than half. Because the VPN 3005 targets the small office, where WAN speeds are typically at T1 rates, this performance is acceptable.
The curve is not surprising; as the number of packets per second increases, the device needs to do more processing from the physical layer up to Layer 3 and back down--plus encryption. With smaller packet sizes, more than three times the number of packets need to be processed than with the larger sizes. Because most packet sizes fall between 512 bytes and 1,400 bytes, there should be more than enough performance to satisfy most needs.
During testing, I also looked at the logging and troubleshooting tools in the 3005. While the logs are informative for troubleshooting, the task of deciphering networking, VPN and other remote-access issues requires quite a bit of technical knowledge. The VPN 3005 supports automatic FTP backup of the log files when they rotate.
Send your comments on this article to Mike Fratto at mfratto@nwc.com.
REPORTS
ANALYTICS
Follow 
