Network Computingwww.networkcomputing.com

3Com Corp.'s NETBuilder Extranet Switch provides scalable, secure, manageable extranet access for remote users and remote offices across the Internet. It combines the core functionality of routing, access concentrator, firewalling, tunnel termination and encryption into a single, field-tested data networking platform. In providing a software upgrade path for NETBuilder customers, the NETBuilder Extranet Switch dominates the marketwith more than 2.1 million virtual ports shipped.

3Com has established feature and performance leadership by combining data networking functionality with standards-based encryption, IPSec (IP Security) and MPPE (Microsoft Point-to-Point Encryption); tunneling, L2TP (Layer 2 Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol); and encryption key administration, ISAKMP/IKE.

3Com has taken the lead in feature and functionality by shipping the industry's first complete enterprise-focused VPN solution; NETBuilder Extranet Switch provides complete support for secure and scalable client-to-LAN and LAN-to-LAN Internet-based VPNs. Informed customers are extending and securing their WAN access architecture using field-tested data networking gear, and they look to 3Com's NETBuilder Extranet Switch solutions to meet dynamic business requirements. Successful enterprises rely on a rapidly evolving network of strategic partnerships to complete projects and bring products and service to market. Easy access to strategic partners and vendors also fosters information transfer and productivity. Beyond the turn of the millennium, this agility will separate the "quick from the dead."

By integrating Internet-based VPN capabilities into field-proven data networking gear, 3Com has provided a straightforward migration path for enterprise customers who want to harness the benefits of the Internet. With conventional routing and VPN functionality on a common platform, the inevitable migration to policy-enabled VPNs is assured.

Enterprise-Oriented Security

Determining that you are who you say you are is paramount in a remote-access connection. Achieving low-cost ownership means integrating a security scheme in the enterprise, not mandating the installation of a name directory. For today's enterprise, this means a seamless integration with the leading enterprise NOSes and security servers: Windows NT and Security Dynamics' ACE/Server.

An additional extranet offers individualized, fine-grained user authentication and authorization, which provides for the setting of firewall filters and other network policies on an individual user basis.

Today's corporate intranets have evolved as "islands of knowledge" inside departments and workgroups, and distributed access may be availed via an organization's private routed network. The availability of the Internet has made it the medium of choice for selective narrowcasting of these intranet knowledge bases to a global population. This extension of the intranet, enabled by the Internet, has come to be called the extranet.

The same WAN access mechanisms that enable extranet access are well-suited to be a high-density authentication and access point for Internet-based remote access.

Integrated Firewall

The NETBuilder Extranet router contains a field-tested firewall implementation and was the first router to gain ICSA (formerly NCSA) firewall certification. The NETBuilder firewall is designed and optimized to serve as the external firewall in a segmented firewall system. An unlimited number of NETBuilders may be managed from a single management workstation or Java-enabled Web browser. The Check Point Software Open Security Manager and popular Firewall-1 GUI also may be used to manage NETBuilder firewall configuration and functionality.

Network Computing's Evaluation of 3Com Corp.'s Response

3Com's response provides good detail into how user management will be integrated into the proposed VPN, as well as the changes in network configuration from a security standpoint, but it offers spotty detail overall, particularly on service requirement coverage. 3Com's solution is fairly straightforward, a plus for installation and migration planning. However, the proposed VPN secures networks at the LAN/WAN boundaries, not at the department level as requested. Thus, reduced cost achieved by using the Internet as a WAN backbone comes at the expense of internal security needs, as stated in the RFP.

3Com devotes quite a bit of space to user management, both you and for the future. Its suggestion to standardize on Windows NT for VPN authentication and user management fits into Acme.com's current configuration and would require little, if any, change to network infrastructure. Nor would it require retraining administrators. Migration to a standards-based user management system such as LDAP is mentioned, though no specific timeline or path is given.

We liked the fact that 3Com's proposed hardware, the NETBuilder Extranet Switch, supports IPSec, L2TP and PPTP for tunneling and encryption. But there is little mention of the implementation of multiprotocol support or security. 3Com failed to address remote client support, leaving us to wonder if we are simply to rely on PPTP. Moreover, there is no mention of how to handle IPX traffic. While that was not a strict requirement, other vendors, such as Bay Networks, suggested Novell's NetWare IP for securing IPX traffic.

The NETBuilder line lets Acme.com choose whether to install the VPN in conjunction with its existing WAN equipment or replace that equipment. 3Com's response suggests replacingexisting equipment with NETBuilder hardware. This doesn't seem to add significantly to the fixed costs of the infrastructure and has the added advantage of minimizing the components that need management and maintenance. Acme.com could also leverage any vendor-specific features uniformly.

3Com's response replaces the existing firewall with a three-part firewall consisting of a 3Com NETBuilder II/DPE, providing an exterior security system; a DMZ (demilitarized zone) for hosting Internet services; and a Check Point Firewall-1 as an interior firewall. NETBuilder II provides tunnel termination on a hardware platform while Firewall-1 provides strong stateful inspection facilities. Both NETBuilder II's (and other NETBuilder devices) and Firewall-1's security parameters can be managed through Check Point's Open Secure Manager (OSM).

3Com's reliance on partners to supply software for firewalling, authentication and user management actually may be a blessing in disguise. While Funk Software's Steel-Belted Radius and Check Point's Firewall-1 are award-winning applications, integration, support and maintenance issues are important to settle with 3Com before installation.