SMC EliteConnect is an OEM version of Vernier's two-tiered 6000-series system. The Secure Server authenticates users, maintains a consistent configuration across your network and manages roaming operations while the Access Manager connects to access points at the edge of each subnet. The Access Manager enforces network policies, creates and manages encrypted tunnels, and provides secure access to the network resources. This architecture facilitates scalability to the extent that you can control how many access points connect to each Access Manager. SMC even includes an integrated four-port Ethernet switch, though most sites can define VLANs on existing closet switches to accomplish the same goal.
EliteConnect installation and configuration took just a few minutes. To get the system running, we plugged our access points into the Access Managers, connected the Access Managers and Secure Server to their appropriate switches, and pointed our browser at the Secure Server's default IP address. We used the Web interface to complete the configuration.
EliteConnect beat out its competitors by delivering a highly appealing feature set together with excellent configuration and management capabilities. In addition to supporting authentication, access control and subnet roaming, EliteConnect offers other convenience features for managing WLAN resources. We appreciated the product's ability to drill down through the management interface and see what connections the users were making in near real-time. And EliteConnect presented its network-monitoring information in an easily readable format.
EliteConnect also lets you customize the Web page users see when they authenticate--another useful management capability. Its integrated NTP time server support made it easy for us to keep the log's time stamps in sync and helped us avoid problems that can occur with time-sensitive authentication protocols, such as Kerberos.
Although you probably won't reboot these devices much, the slow reboot time of the ReefEdge product prompted us to compare it with others. If you make a significant change to the EliteConnect configuration, you can restart all the services from the Web interface and have the system back up and running in a snappy 40 seconds. Also, if you reboot the Secure Server only, clients will stay connected and won't need to reauthenticate.
EliteConnect's throughput was slower than that of most of the products we tested, but its distributed design makes it easy to install enough boxes such that the product does not introduce performance bottlenecks, at least when using current-generation WLAN systems. Of course, adding more boxes also adds to the cost and increases management overhead. We found the product's NAT (Network Address Translation) addressing scheme, which limits the number of clients per subnet, rather awkward. We overcame this by altering the subnet mask and assigning static IP addresses. Also, we noticed that SMC's solution prevents you from pinging the Access Manager's internal address, something that may be irritating for sites that use ping tests for basic monitoring and troubleshooting.
EliteConnect's session persistence and subnet roaming times were impressive. The product never dropped a packet while roaming. Although EliteConnect's throughput could use some improvement, Vernier and SMC have gotten everything else right.
SMC EliteConnect WLAN Security System: SMC EliteConnect WLAN Secure Server 2.0.11, starts at $5,600; SMC EliteConnect WLAN Access Manager, starts at $2,300. SMC Networks, (949) 679-8000, (800) SMC-4YOU (762-4968). www.smc.com
NetMotion Mobility Server 3.50
Of the three software-based products, Mobility had the best report card grade. Its strongest points were its ease of installation and use and its effective session-persistence and roaming. We would have liked better performance, but we're confident the software will scale to meet the needs of midsize and large installations--as long as you are willing to invest in high-performance server hardware. NetMotion is a pioneer in this space, and Mobility's refinement in comparison with the others, which are clearly first-generation, is notable. Further, NetMotion's Web site includes some excellent white papers on wireless security, addressing the needs of organizations planning to deploy wireless and the techniques you can use to optimize performance.
Server installation is easy. If you have a Windows network, this product will fit in easily with your existing NT Domain or Active Directory. The wizard guided us through the input of minimal configuration information. To authenticate clients that connect to the server, the domain or AD is checked to see if the user belongs to a NetMotion user group. We created some users, added them to this group, and completed the preliminary configuration. Although Mobility requires proprietary client software (available only for Windows platforms), the installation was straightforward. The Mobility server operates on UDP Port 5008, which can be allowed through your firewall or forwarded in a NAT environment.
NetMotion implements several algorithms for encryption, including AES-Rijndael, DES, 3DES and Twofish, which you choose on a per-user basis. The software also supports IPsec, L2TP/IPsec and PPTP implemented with the assistance of standard Windows 2000 and XP services. If your users' mobile devices run Windows 2000 or XP clients, they communicate with the Mobility server using Windows' integrated encryption services as an alternative to Mobility's, but you'll still need to run the Mobility client. We set up a few of our laptops in this way and got them running with the help of NetMotion's excellent manual.
In our performance testing, Mobility delivered 23.75 Mbps encrypted and 33.6 Mbps unencrypted performance on our 600-MHz server. Although this level of performance may be of concern if your network is very large, NetMotion says it has conducted extensive internal testing, demonstrating that performance scales in relation to CPU speed. In addition, the multithreaded architecture takes advantage of multiple CPU configurations. Performance is limited by bidirectional network traffic over a single network interface; adding multiple interfaces can dramatically increase the performance.
NetMotion could not refer us to customers with thousands of concurrent users, but the vendor did point to lots of sites with hundreds of concurrent users that are operating with a single server. Although single-server implementation is the easiest to manage and can support a significant number of users, NetMotion lets you set up distributed Mobility servers to segment traffic. You also can provide failover by setting up a redundant server that will compensate for a failed server if there is an outage. However, you cannot manage all servers from a single console.
Mobility did well in our roaming test. It did not roam as fast as ReefEdge and SMC, probably because those systems let clients roam without releasing and renewing IP addresses. But roaming happened after three pings were lost, on average. And the sessions our clients had open were unaffected by the transition. NetMotion provided us with an update that it claims improves roaming performance, but that update came too late for us to test it.
Mobility would work great if in a Windows environment with automated client software distribution. If, however, you are in an environment that doesn't allow for easy software rollouts or requires the use of non-Microsoft client OSs, you might want to consider a hardware-based solution that can operate with standard VPN clients.
NetMotion Mobility Server 3.50, starts at $2,850 (for server and 10 user connections), NetMotion Wireless, (206) 691-5500. www.netmotionwireless.com
ReefEdge Connect System 2.06
ReefEdge Connect performed best in our tests. However, other products provide greater client control, letting us see where our clients were connected and what they were doing, and terminate their connections if necessary. ReefEdge Connect doesn't support these capabilities. The product does offer roaming that is as fast as any other implementation's, with nary a dropped packet in our tests.
Like SMC EliteConnect, ReefEdge Connect is a two-tiered hardware solution with ConnectBridge devices attached to access points at the network's edge and a ControlServer at the center. The term bridge is confusing since it suggests a Layer 2 relationship between devices when in reality this product operates at higher layers. ReefEdge Connect is one of only two products (the other is Bluesocket WG-1000) to offer QoS (Quality of Service) capabilities that let the administrator throttle bandwidth. This could be handy in a bandwidth-constrained environment, such as a high-density WLAN or one in which you want to limit the impact of bandwidth-hungry applications like streaming media.
ReefEdge's support for back-end authentication database integration is more limited than that of some of the other products we tested. It does offer support for NTLM and RADIUS in addition to its own standalone authentication database. ReefEdge supports IPsec for secure sessions but lacks support for PPTP and L2TP/IPsec.
Every time we made even minor changes on the ConnectServer, including defining static NAT address mappings, we had to reboot the affected ConnectBridge or ControlServer. Also, during the time that the ConnectServer is rebooting (2 minutes and 45 seconds, but who's counting?), wireless users have no access to network resources, because the ConnectServer acts as their DNS server. And when the ConnectServer is back up, users are forced to reauthenticate. In addition, you must use NAT on all your clients. However, you can map NAT addresses to external IP addresses statically using the management interface. We found this feature helpful to support our access points, which, without IP addresses, would have been unreachable from the outside network.
ReefEdge offers two versions of its ConnectBridge and recommends the smaller ConnectBridge 25 for support of a single access point only; the ConnectBridge 100 supports higher speed traffic. The ConnectBridge 25 is limited in capacity. We managed only 8 Mbps of throughput unencrypted and 4 Mbps encrypted. Through a strange twist of events, we even discovered that we could disable a ConnectBridge 25 by sending it 6,400-byte ping packets. After we reported our findings to ReefEdge, the vendor said our unit must have been faulty and shipped us a replacement, which didn't perform any better. The ping bug was still there, so we're reluctant to recommend this product except in very-low-traffic environments.
While we didn't care for the ConnectBridge 25, we loved the 100. It passed our performance tests with ease, providing wire-speed throughput in our unencrypted datastream tests. The product's roaming is extremely efficient. When you roam between subnets, ReefEdge Connect tunnels data from a previous session started on one bridge to the next bridge. However, if you roam to a third subnet/bridge, the first bridge will tunnel to the third bridge and not the second. This ensures tunneling is handled efficiently and lowers the overhead on your backbone.
ReefEdge Connect offered the most attractive Web interface of the products we tested. And the company offers an optional client software package to simplify life for users trying to connect to the network. ReefEdge says it expects to ship its latest version, 2.5, by the time this review appears. Among the many enhancements are support for L2TP, PPTP and LDAP. Also, ReefEdge supports a crypto-accelerated version, which should offer encrypted throughput in excess of 60 Mbps. And the company has changed the name of the product to EdgeConnect.
ReefEdge Connect System 2.06, starts at $7,500. ReefEdge, (201) 548-2600. www.reefedge.com
Bluesocket WG-1000 Wireless Gateway 1.0
Bluesocket's WG-1000 Wireless Gateway can deliver maximum control over your WLAN. This product is loaded with features; it offers far more control of WLAN clients than any of the other products we tested and its performance was very good. However, the first-generation product we tested lacks roaming support and has limited centralized management capabilities. We wish we had been able to test version 2.0, which adds roaming support and should be available when this is published.
The WG-1000 supports a variety of external authentication systems, including NTLM, RADIUS and LDAP. Its Web-based configuration and management is easy to navigate. Not only does it offer QoS via bandwidth throttling, it lets you see how much traffic each user generates through a particular gateway. We set up different profiles and throttled up and down the amount of bandwidth particular users or groups were allotted. IPsec and PPTP encryption mechanisms are supported too.
As a single-box hardware solution, the WG-1000 worked differently from the other two-tiered hardware-based products we tested. The lack of a central server complicates management in large environments where multiple systems are deployed. You can set up two wireless gateways in a master-slave configuration to provide failover support for added redundancy, but if you want to support a new wireless subnet, you have to configure a new gateway from scratch. Version 2.0 still lacks central management. Bluesocket says it wants to avoid the single point of failure that exists in the two-tier hardware solutions, but we think adequate redundancy and central management are both necessary in the long run.
Unlike the other solutions, WG-1000 lets you monitor users from a Web page with the status automatically updating periodically. This feature told us who was logged in and how much traffic he or she was generating in near real-time. It also informed us of the CPU usage on the gateway. In addition, only the WG-1000 can store two separate system configurations, a handy safeguard if the new configuration fails. In testing, we reverted to a saved configuration simply by going to the configuration section of the Web management interface and pressing a "switch" button, which restarted the system and booted the alternate configuration image. We also could selectively restart independent services provided by the gateway, which helped us avoid rebooting the gateway when we made configuration changes.
During our client tests, the WG-1000 was the only hardware-based product that could not authenticate a Palm OS client running the SSL-capable Eudora Internet Suite 2.0 Web browser. When asked about the limitation, Bluesocket blamed Palm for not offering a capable integrated browser. Palm may deserve some of the blame, but it's a pretty significant problem for sites that want to connect Palm devices to their WLANs today.
The quality of the WG-1000's documentation leaves much to be desired, as is often true of version 1.0 offerings. However, version 1.2, which arrived too late for testing, included enhanced documentation. Given the lack of roaming support in the current version, the WG-1000 would appear to work best in an organization with a flat wireless network requiring only one gateway or in environments where management of subnets and network security may be decentralized (many university setups fit this description). However, with encrypted throughput of around 30 Mbps, a single gateway might introduce performance problems on high-traffic networks. Nonetheless, if your organization can live with these performance limitations, Bluesocket's WG-1000 is an appealing and cost-effective solution.
Bluesocket WG-1000 Wireless Gateway 1.0, $5,995. Bluesocket, (781) 328-0888, (866) 633-3358. www.bluesocket.com
Columbitech Wireless VPN 1.1.0.232
With its Wireless VPN, Columbitech aims to ease roaming between WLAN and wireless WAN devices, but the product needs to mature a bit before we can offer an enthusiastic recommendation. Of the products we tested, only Columbitech's employs WTLS (Wireless Transport Layer Security) encryption, a certificate-based technology optimized for wireless and commonly used on wireless WANs.
Server setup involved the normal wizard-based installation, but also required the installation of a CA (certificate authority). Administering certificates can be complicated, but the documentation that comes with the product was a big help. On the server side, you need to create two certificates (a CA certificate and a server certificate), and for each client you need to make a client certificate. Using the certificate-manager application that comes with the wireless VPN product, we generated 10 client certificates and placed them in a shared folder on the server. Next, we developed a batch file and setup-configuration script to further automate the client installation process. On each client, all we needed to do was navigate to the shared folder on the server and run the batch file, which installed the client and imported the CA certificate on the client. Although somewhat complex in comparison with other products, the process is well-documented.
The Wireless VPN did have some drawbacks. Since it is strictly a VPN, all sessions are encrypted. For enterprises with rigid security requirements, that's a nonissue. Other organizations, however, will appreciate the other products' flexibility in supporting nonencrypted datastreams. In addition, the version we tested does not include functional roaming support nor does it support multiprocessor servers, limiting scalability. Both features are scheduled to be in version 1.2. Another significant drawback is that client support is provided only for Windows 2000, XP and Pocket PC. If you run Windows 9X or non-Microsoft operating systems, you're out of luck.
The Windows 2000 server on which the Wireless VPN is installed handles all authentication operations. This product also supports RSA and DSA authentication, useful if your organization supports RSA's SecureID. The Wireless VPN was one of the slowest products we tested, with encrypted throughput of 11.7 Mbps.
If your goal is to support mobile users accessing the network in a secure manner from multiple locations, using services such as CDPD, GPRS (General Packet Radio Service) or public WLANs, they can gain secure access to your organization's resources using an additional server called a Mobile Authentication Server. The MAS machine can be installed outside your corporate firewall in a DMZ and can tunnel external communications back to the main Wireless VPN server.
Columbitech recently established a business relationship with Symbol Technologies, which will resell this VPN as AirBeam Safe.
Columbitech Wireless VPN 1.1.0.232, $2,000 (fee for 10 users, plus an annual maintenance/support fee of 20 percent). Columbitech, +46 8 556 08 100. www.columbitech.com
Ecutel Viatores M-VPN 3 series 3.1
Ecutel's Viatores merges IPsec with Mobile IP to deliver robust security and roaming support for mobile users, but its management interface and integration tools need overhauls. An enterprise version includes support for a range of mobile communications networks. We focused on the Viatores WLAN edition. Viatores' Mobile IP architecture lets users maintain a constant IP address no matter where they roam, but the trade-off is a complex system that limits performance. We applaud Ecutel for sticking to standards, but it's no accident that Mobile IP hasn't taken the market by storm. Ecutel's unencrypted performance was excellent, and while encrypted performance of 26.3 Mbps was competitive, it required an add-on hardware-based cryptographic accelerator to get there. Ecutel gets some credit for offering accelerator support, but we're betting all vendors will go this route eventually; then other products will surpass Viatores' performance.
Viatores supports a range of network architectures. It offers a central Viatores server to support the majority of operations but also includes software to create relay points, gateways and multiplexers. Relay points are servers that you can install on individual subnets for increased capacity. Gateways support users connecting from external networks that do not impose heavy traffic restrictions. If your users are in a more restrictive firewall environment, they can connect to a Viatores Multiplexer on Port 80 and tunnel connections back to the Viatores server via the HTTP port. Although we did not evaluate the functionality of all these options, Ecutel addresses some unique mobile communications challenges.
Perhaps Viatores' greatest shortcoming is the complex and difficult-to-use management interface. The interface had a wizard-like feel to it, which, while helpful for some operations, made changing a single attribute difficult. We spent lots of time clicking "next" trying to get to the characteristic we wanted to change. Ecutel says it plans to provide a revamped management interface in the next release. Another serious limitation relates to Viatores' requirement for user authentication to a local database, which forces administrators to maintain a separate authentication system for WLAN users. That's OK when the number of users is limited, but it introduces a significant burden as the network grows. Support for external authentication databases is also scheduled for the next release. Finally, we found the security profiles, which were tied to subnets rather than users, lacking in comparison with other products.
Viatores runs on Windows servers, but a Linux version is scheduled for the near future. Some organizations that don't want to depend on Microsoft for yet another service might find that noteworthy. On the other hand, Viatores offers the most limited client support of any product tested. There is support only for Windows 32-bit operating systems, which means no support for handhelds or non-Microsoft OSs. Upon installing the client, you can download the client's configuration and shared secret from the server, then enter the name and IP address of the Viatores server, a very simple process. The client contacts the server and pulls down the configurations. After you download the configuration, the user enters a password, connects to the Viatores server and can begin roaming between subnets.
Viatores M-VPN 3 Series 3.1, $150 per mobile user. Ecutel, (703) 998-2588. www.ecutel.com
Dave Molta is a senior technology editor of Network Computing. He is also an assistant professor in the School of Information Studies at Syracuse University and director of the university's Center for Emerging Network Technologies. Cornell W. Robinson III is a freelance reviewer and a research associate at the Center for Emerging Network Technologies. Send your comments on this article to them at dmolta@nwc.com or crobin01@syr.edu.
REPORTS
ANALYTICS
Follow 
