Large enterprises that need multiple Bricks and tiered management will get the most value out of LSMS 5.0. It runs its own Web server, and managers can connect remotely via standard Web browsers or locally using the Java GUI. Small shops with a single firewall probably won't need the sophisticated management access controls, but larger shops will appreciate how these controls can be tailored. The VPN Firewall Brick offers firewall and VPN features similar to those of Cisco Systems' PIX Firewall and Check Point Software Technologies' FireWall-1.

Bricks of Clay

Lucent's VPN Firewall Brick is nothing if not flexible, which means it can be complicated. However, LSMS 5.0 offers a fairly intuitive interface for most tasks. One of the biggest usability changes comes in the form of a single sign-on type of login. In previous versions, zone managers were responsible for managing the access rules for specific zones. A zone is a set of IP addresses that are treated as a group. If a zone manager needed to manage multiple zones, he or she would have to log in to each zone. Only LSMS managers could add, remove or modify a Brick's configuration.

LSMS 5.0 provides two administrator levels: LSMS administrators, who have total access to all the Bricks defined in the LSMS as well as control over the LSMS system, and group administrators, who have varying levels of access to the Bricks and associated zones within their respective groups.

For my tests, I created several administrators with different access rights. Doing so was a simple process of creating a new administrator and assigning the groups and access levels to him or her. For example, I created an auditor who could examine multiple groups and generate reports but not make any configuration changes.

Employing the remote-administration capabilities, I used Netscape Communicator 4.72 to connect to the LSMS and was able to make all configuration changes as if I were sitting at the console.

Building firewall rules is rather straightforward, once you understand the meaning of zones on the Brick. Each Ethernet interface contains one or more zones. In the screen (page 28), for example, Ether1 has three zones assigned to it. The Administrative Zone is the LSMS server. Subnet 92Zone is a range of IP addresses, and Public is an entire subnet. Unlike most firewalls, where rules are applied to interfaces, Lucent's Brick applies VPN, firewall or NAT (Network Address Translation) rules to zones, which are associated with specific interfaces. This offers highly flexible configurations.

Building VPNs in 5.0 is a two-step process. First, the VPN parameters are defined, and the access rules in each zone are modified to use the defined VPN. I configured a simple VPN between two Bricks in a matter of minutes. Once the VPN is configured, it becomes active regardless of whether traffic is running.

The next step is to configure each access rule in each zone. I had to make sure that both the in-bound and the out-bound rules were similarly configured in each zone; otherwise, no traffic would flow.

Lucent could improve the product by letting users configure the VPN and associated firewall rules for the VPN in one place. Then the LSMS should determine how the zone rules should be modified.

Deploying Clients

Deploying VPN clients remains one of the biggest hurdles to overcome. The larger your user population, the more time you have to spend configuring and managing desktops. The LSMS now supports client deployment and updating. The LSMS runs its own Web server, so once a new version of the client is available, it can be placed on the server. I authenticated to the LSMS server and downloaded the client software. Then I created a VPN to the Brick. For software updates, the client will notify the user and launch a browser that can be used to download the new software.

Updating the software was simple. I copied the new version to the local directory on the LSMS and edited a text file that defines the client version numbers of each OS. When I initiated a VPN connection, a dialog box informed me of an updated version of the software. When I selected the link, it opened my default browser to the download page.

Unfortunately, updating the software for Microsoft Windows 95/98 and NT requires that the existing client be uninstalled before running the new install, but after two reboots, I was using the updated copy flawlessly. Software distributions also can be located on a separate FTP server, though I didn't test this feature.

New with 5.0, a split-tunneling feature has been added on the client that lets users send data to both the VPN and the Internet when using the VPN client. Split tunneling is configured in the user's policy so you can control network access.

Unfortunately, I found the logging and troubleshooting tools in the LSMS to be rather cryptic. Real-time events are logged to the LSMS in a colon-delimited format, but there are no column headings, and having to count empty fields is simply too much work. The historical reporting is a bit better--the columns are defined--but we found the Web-based reports cumbersome to use.

Send your comments on this article to Mike Fratto at mfratto@nwc.com.