The Avaya 7500 would work well in an environment with multiple remote gateways spread across a WAN. The configuration options make it easy to set up remote users authenticating to multiple gateways. Likewise, you can see a network map of each VPN. The management interface lets you store notes in just about every configuration screen, for future reference or to keep track of changes. This is a slick feature in an otherwise clunky interface. For example, you can't see the configuration settings for two different Avaya VSUs (VPN Service Units) at the same time, and it'd be nice to be able to minimize the configuration screens.
However, the VSU does have some things going for it. Avaya claims the VSU 7500 can handle 7,500 simultaneous tunnels. Also, it comes standard with an additional public and an additional private interface for added redundancy. With the other products, except for Cisco's, redundant network ports are an add-on option. Equally important are redundant power supplies, which all the vendors offer. (Note that Check Point's solution is dependent on having a PC with redundant supply capabilities. The Dell box Check Point sent us is not.) The VSUs also can work transparently on the network, in addition to serving as routers. While all the devices tested act as routers, Avaya's product is the only one that can sit transparently on the network.
The VSU's management system makes it simple to create multiple interconnected VPN networks or meshed VPNs. The VSU series takes advantage of this feature when setting up remote clients, especially if you want to have a client log in directly to multiple branch offices. The device does all the configuring for you, handling keys and so forth. Just select which users, user groups or gateways are to be included in a VPN connection, and the policy is pushed out to all VSUs simultaneously. All communication between the VSU and management station is encrypted.
We were a bit disappointed with the reporting of the management server -- it was rather primitive and definitely not user-friendly. We couldn't see event-log information, such as IKE tunnel status, remotely; we needed to log in directly on the console to see this information. Instead, centralized logging info is limited to statistical data, such as number of packets, active sessions and source/destination IP addresses. This could make troubleshooting difficult. On the positive side, the client software includes the ability to generate reports containing configuration and system information that can then be e-mailed or uploaded.
Avaya Virtual Private Network Service Unit (VSU) 7500 running Avaya VPNremote Client 4.0, Avaya, (866) 462-8292, (908) 953-6000. www.avaya.com
Check Point Software Technologies VPN-1 Next Generation Feature Pack 1 Running VPN-1 SecureClient
We ran into many problems with Check Point's product during our tests. We finally got it working right after many long hours with an on-site engineer, telephone tech support and Mountain Dew. We've had good experiences with Check Point's products in previous reviews, and we never did pinpoint why we had so much trouble with this product. We decided to reinstall VPN-1 and now believe the source of the problems might have been some corrupt config files.
VPN-1's policy editor interface took a little getting used to, but once we got past the initial learning curve, we ended up liking it. The network graphical map is more than just eye candy -- it's helpful in seeing the layout of the network and your encryption domains. Setting up mesh VPNs is a relatively easy process, though Avaya's product does it better.
Check Point's device has a few things going for it that the other products we tested don't. The company has tightly bundled a personal firewall in SecureClient, which is controllable from the same management interface, and provides centralized management of multiple gateways. Check Point is also the only vendor to offer a GUI wizard for creating custom client distributions. We simply launched the SecureClient Packaging Tool, specified a few options in the GUI and the location of the SecureClient binary, and the wizard generated the installer. Check Point includes an integrated certificate authority that can be used to configure the remote clients without using preshared secrets. Typically, you need to purchase the CA separately.
However, Check Point's solution has some drawbacks. If you want to assign an internal IP address to a VPN user, you need to install Office Mode, a free add-on module. Yet only Windows 2000 clients can take advantage of this feature. You also can't use L2TP or PPTP. And SecureClient is licensed on a per-user basis, which can get costly as the number of users increases. In all fairness, Check Point does offer SecureRemote, which is free for unlimited distribution but does not support the personal firewall or Office Mode.
The VPN-1's log viewer does a decent job telling you what's wrong, though not necessarily how to fix it. We ran into some trouble when setting up the test system -- tunnels didn't come up, and there was no notification as to why not. You can get additional information by logging into the VPN gateway directly. From there, you can see the source and destination addresses and ports of each packet, as well as pipe this output through grep to make it easier to sort through.
Check Point VPN-1 Next Generation Feature Pack 1 running VPN-1 SecureClient, Check Point Software Technologies, (800) 429-4391, (650) 628-2000. www.checkpoint.com or info@checkpoint.com
Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs®. Send your comments on this article to him at mdemaria@nwc.com.
RSS
