our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at www.networkcomputing.com /express/

I tested a late beta of the ADI-4500 and its ADI Management System (AMS) and was impressed by the product's relatively simple management features. But I found the advanced features, such as Dynamic VPN Switching and Automated Operation and Security (AOS) key management, to be a mixed blessing.

More Security, More of the Time I powered up the ADI-4500 in Network Computing's Syracuse University real-world lab. After configuring the IP address via the local management port, I managed the device from the AMS and completed the configuration. Many of the details and complexities of this VPN device are hidden behind its single-click interface.

The ADI devices' X.509 certificates were burned into them at the factory, along with a unique Secure Certificate System (SCS) ID. The SCS ID is used to identify the ADI-4500 to the AMS station at boot-up. When the ADI boots, it sends a configuration request to the AMS that is secured with RSA 1,024-bit public/private encryption. Once the ADI-4500 has been authenticated, the AMS sends its configuration to the ADI-4500. I was disappointed to find that the ADI-4500 uses a proprietary key management scheme instead of IPSec (IP Security) IKE key management.

The AMS generates the session keys for the ADI-4500s and sends them to the ADI-4500s when needed. The vulnerability lies with a denial of service. If the switches' session keys expire and the AMS server fails, the 4500 will stop working. While the ADI-4500 uses IPSec as the Layer 3 transport, ADI uses its own key management system, called AOS, and certificate authority. Until it begins using IKE, these will not be IPSec-compatible.

Configuring AOS AOS provides a single GUI management point for VPN devices and security management. Through the use of "domains," ADI enables VPN security segmentation. Configuration involved three steps. First, I created a domain for the VPN and set the default security parameters. The domain is a set of VPN devices that share common security parameters and communicate among each other. A significant drawback to this version of the software is that an ADI device can belong to only one domain at one time. So if you have multiple security requirements, you will need multiple ADI devices for each domain. ADI will support multiple domain configuration in its late fourth-quarter release.

In the second phase, I added the VPN devices to the AMS, which was very easy to do. All of the configuration information is conveniently available on a single screen. During testing, I put each device into a single domain, allotted individual descriptive names and entered a unique SCI ID, which identified the ADI device to the AMS. Once that was accomplished, the AMS contacted and configured the ADI-4500s. In fact, I configured three ADI 4500s in less than five minutes. Finally, I created the VPNs between each device. One unique feature enables all device configuration to be done while the ADI-4500s are offline. Once the ADI-4500s are connected to the network, they contact the AMS to obtain their configuration details.

ADI hypes a feature called Dynamic VPN Switching, which uses the RIP version 1.0 routing protocol within a VPN tunnel. This enables the 4500 to learn the shortest paths through the VPN network. The functionality lets you add and remove devices within the VPN without having to change VPN or routing configurations. Dynamic VPN Switching makes redundant network paths through the VPN possible as well. I tested this feature by setting up an ADI-4500 and an ADI-100 remote client. I connected the ADI-100 client to ADI-4500 Number 1, then added ADI-4500 Number 2 and created a VPN between Number 1 and Number 2. I successfully pinged between Subnet 1 and Subnet 2 without setting up any special routing rules.

However, this scheme assumes that you want clear communications for every subnet protected by an ADI device. As new subnets are added or removed from behind the ADI devices, they will be updated automatically via RIP. There's a drawback to this approach: If you want to restrict user access to VPN services, you will need to take extra measures, such as installing a firewall or proxy server, or configuring numerous domains and deploying the ADI-100 client on all workstations that need VPN access. In the fourth quarter, ADI will ship new software that will restrict VPN access by address.

Send comments on this article to Mike Fratto at mfratto@nwc.com.