We took a hard look at the four contenders to see which offer the best in management and performance; to do so, we asked each vendor to submit four devices that support 10-Mbps Ethernet (see "How We Tested IPSec-Compliant VPN Solutions," on page 74).

All the IPSec devices came with a minimum set of algorithms, DES and Triple DES for encryption, and HMAC-MD5 and HMAC-SHA1 for authentication, so security was covered. But a successful rollout requires strong management applications for installation and ongoing management, easy tunnel management, good reporting for historical analysis and troubleshooting, and low performance overhead.

Management encompasses both initial and ongoing configuration of the individual devices and VPN tunnels. None of the products we tested was a standout in management.

Reporting and logging approaches varied widely with each product, but with the exception of LanRover VPN Gateway, we found SNMP monitoring support fairly weak. Moreover, SNMP traps were generally not evident in these devices. VPNet had some traps concerning security events, but they are mostly for SKIP (Simple Key-Management for Internet Protocols), not IKE or IPSec. We think it's important to have meaningful traps to alert data centers to events without requiring access to the device itself to get a status report. Performance is important, though most installations are connecting to a T1 link at 1.544 Mbps. But the VPN will run into bottlenecks. Full encryption over our 10-Mbps Ethernet test bed resulted in up to a 30 percent reduction in performance.

Taking top honors is VPNet's VSU 1010, which delivers strong management, good performance and adequate logging. PERMIT Enterprise follows close behind with strong device and tunnel management. The LanRover VPN Gateway offers good management, but IKE functionality is just coming into beta. The Ravlin 10 smoked the others in performance, but management is difficult and not well-thought out.

VPNet Technologies VPNmanager Tool Suite, VPNremote Client Software for Windows 95, VSU 1010 VPN Service Unit
Good VPN tunnel management and performance pushed VPNet's solution into the top spot in this roundup of IPSec tunneling solutions. The VSU (VPN Service Unit) 1010 offers easy management and rapid throughput, though it lacks some of the useful features other units in this roundup provide, including informative SNMP tunnel monitoring and a packaged CA. Tunnel statistics are on a par with those of RedCreek's Ravlin Manager, though not as complete as Shiva's LanRover VPN Gateway. The VSU passes data at a pretty good clip, taking second place in performance.

VSU's strongpoint is simplifying IPSec tunnel construction. Performance is strong, though not as impressive as RedCreek's Ravlin 10; reporting and logging are less satisfying. In fact, many of the error conditions trapped are related to the SKIP protocol. Although this version supports VeriSign and will support Entrust 4.0 for certificate authorities, neither is necessary for IPSec with manual IKE key management. VPNet, one of two vendors to be IPSec-certified by the ICSA, is at the forefront of IPSec technology, and the VSU 1010 shows it.

Keeping Track The VPNManager Tool Suite is managed through a Web browser using a mix of HTML and Java, and it provides everything you need to get your VPN running. After setting up the basic configuration on the VSU, such as IP address, we had to get a personal certificate from VeriSign. VPNManager communicates securely via SSL with the VSUs. While this provides strong security, you are limited to one manager per VSU. It's a rather harsh limitation, though one that VPNet is addressing in its next release, due in the third quarter. Proper placement of VPNManager is important. If it is placed within a VPN address range it will be unable to receive SNMP traps unless the VSU can pass non-VPN traffic--typically not a good security policy. Additionally, management of the VSU will be unreliable, if not impossible.