|
By Mike Fratto
Vi
rtual private networking is all the rage, with vendors swarming the market trying to convince you to purchase their hardware and software solutions. The trouble is, you may need to install multiple VPN technologies to support mobile users, trading partners and departments, each with varying security and connectivity needs. Add LDAP support for authentication and authorization, X.509 certificates for user profiles and DHCP for IP address assignment, and you're left assembling many pieces before you can roll out VPN to your users.
The NOC 4000, from start-up New Oak Communications, fills a unique need in the market by terminating multiple VPN protocols at a single point and leveraging existing network services for user authentication, accounting and addressing (see "Unlocking Virtual Private Networks" at techweb.cmp.com/nc/820/820f1.html). It sits on the wide-area link of your network, terminating tunnels from remote users and offices. I looked at a beta version of the NOC 4000 in Network Computing's
Syracuse University lab and was impressed with its support for the major VPN and encryption protocols, robust user management and excellent reporting. Those features, in addition to excellent fault tolerance, justify the $50,000 price tag.
All VPN, All the Time
Supporting L2F (Layer 2 Forwarding), PPTP (Point-to-Point Tunneling Protocol) and IPSec in a single box, the NOC 4000 is built on dual Intel Pentium Pro 200-MHz chips and 64 MB of RAM--a fairly beefy server. It provides robust fault tolerance and should perform well at the rated maximum connection density of 2,000 concurrent users. The dual power supplies and hard disks are hot-swappable and easily accessible from the front panel for easy replacement. Virtually every software option in the NOC's configuration is triple redundant; you specify up to three RADIUS (Remote Authentication Dial-In User Service) servers, three LDAP servers, three backup servers and so on. If a network service fails, the NOC switches to the backup server until servic
e is restored. It saves important configuration information, such as network addresses, in flash memory in case of equipment failure.
System backup and a recovery mechanism are impressive features. The NOC 4000 backs up its entire disk image to a network server using FTP. Thereafter, the NOC periodically checks its file system for changes and automatically backs up only revised files. Because backups are incremental, the hit on network bandwidth is negligible. In the event of a catastrophic failure, the NOC can be fully restored from the FTP server. To test this feature, I added a user and then inserted the recovery boot floppy disk. After the operating system and HTTP server loaded, I reformatted the hard drive and restored the entire server image, application and configuration from my FTP server in under 10 minutes. Although the NOC loses changes made between backups (it's a good idea to manually back up after major changes), you can restore the server quickly.
User Management Made Easy
You ca
n use a database on the NOC 4000 for user authentication with its internal LDAP server, or you can point it to an external RADIUS or LDAP server. Both offer a high degree of control over how users are configured on the NOC, through the use of profiles and groups. Users and groups have associated profiles, which define what types of VPNs they can establish, how those VPNs are configured and more. The groups mechanism lets you apply changes to multiple users through the group profile. The real power behind the user management system lies in the inheritance mechanism.
I defined a base group at the root of the profile tree that contained the default profile for all users. I tailored the group profiles by changing only the attributes specific to that group. (The rest of the profile is inherited from the profile above it.) This provides a quick way to manage users with similar attributes, while limiting changes to the current profile and below. Initially, I found the hierarchical method confusing because the inh
eritance mechanism forced me to think more carefully about how rights are inherited. But once I spent some time with the method, the fine granularity it achieved became evident.
For international extranets, the advantage is clear: I made a configuration profile called National for PPTP users specifying RC4-128 bit encryption. For international users, I made a configuration profile under National, called International, specifying RC4 40-bit encryption. The rest of the configuration remained the same. If I need to change the configuration for National and International users, I just have to make it in the National configuration.
In addition to security and tunneling configurations, the NOC implements three quality of service (QoS) techniques for tailoring performance when utilization increases. You assign users and groups different levels of QoS in the profiles. Call Admission priority reserves a percentage of available connection ports at each level. Forwarding Priority passes higher-priority traffic be
fore lower-priority traffic. The NOC also can participate in an RSVP (Resource Reservation Protocol) setup. RSVP reserves network resources in an IP network on a per-connection basis.
Everything You Want to Know
The NOC 4000 has enough reporting to satisfy even the most information-hungry administrator. You can check out everything from user statistics to network utilization and protocol debugging. Not only can you retrieve historical information, but you can obtain details about individual connections, such as negotiated protocols, encryption levels, amount of data transferred and other performance data. The NOC 4000 maintains a system log, which details all system events, and a searchable subset of system logs for security and configuration events.
Mike Fratto can be reached at mfratto@nwc.com.
|
|
|
|
Other Sneak Previews
Sequel Rutes Nets With Iron Fist
By Dan Backman
NetFRAME Server Enforces Church and State
By Stephen J. Ricks
NAV for Notes Deserves a Medal of Honor
By Rich Neves
|
our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at 
REPORTS
ANALYTICS
Follow 
