our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

To view the Report card.At the forefront of this technology are hardware devices that support the IPSec (IP Security) protocol and IKE (Internet Key Exchange, formally known as ISAKMP/Oakely Resolution). Other VPN protocols such as PPTP, L2TP and L2F offer some VPN services such as encryption and multiprotocol routing, but they are more well-suited to remote-access applications and moving non-IP traffic across the Internet. In fact, these seemingly competing VPN technologies serve different needs and can't be compared in a meaningful way on a per-product basis.

Of course, data leaving your LAN is subject to sniffing by unauthorized users, which is where IPSec devices come in to safeguard privacy. IPSec protects your data at Layer 3 using strong encryption and authentication. IPSec tunneling with IKE ensures that your data is encrypted end-to-end and that it has not been tampered with en route. At the time of this writing, six ICSA-certified interoperable IPSec products are on the market. It's likely more will have joined them by the time you read this.

While the IPSec VPN gateways with IKE support we tested--RedCreek's Ravlin 10, Shiva LanRover VPN Gateway (beta version), TimeStep's PERMIT Enterprise and VPNet's VSU 1010--are stable, aspects such as remote management, reporting and logging, and advanced management functions are still immature and require more work by vendors. However, the current crop of proprietary management stations will let trusted administrators assess problems remotely and securely.

What's Next? Vendors claiming to have IPSec-compliant implementations may be telling only half the story. The other half of IPSec tunneling is IKE, or key management, which provides secure management and exchange of cryptographic keys between distant devices. The IKE protocol exchanges keys, while IPSec encrypts and signs packets. While manual IPSec is possible, it means you must add and change keys to each device--an ineffective solution since keys can't be updated as often.

You also need a secure way to transmit those keys to other devices. IKE automates the process by using public-key cryptography to create a secure association, which is then used to perform a secure second public-key exchange, resulting in a symmetric key for encryption. IKE adds further functionality, such as rekeying the VPN while in session (if one key is compromised, only the portion encrypted with that key is recoverable) and perfect forward secrecy (no two keys are related).