By Mike Fratto
If one VPN (virtual private network) is something to stand up and cheer about, then two VPNs must be even better. That's the premise behind RADGUARD's cIPro-DMZ, new hardware that consolidates two RADGUARD cIPro-VPN gateways in a single unit for an overall savings of nearly $3,000.
I tested a beta of the cIPro-DMZ and concluded that the gateways share only housing and power supplies: They are separate VPN devices, handling traffic and management individually. Fortunately, this approach affords you some flexibility in configuring your enterprise security; you can divide your private network and your extranet into distinct segments.
On the down side, the cIPro-DMZ is not managed as a single unit, so you will have to coordinate the security rules for both of the cIPros.
With a single cIPro-DMZ in the basic VPN model (see the diagram "Network Models" below), you begin by building a VPN in which all tunnels terminate at a single IP address (through which all traffic is transmitted).
The cIPro-DMZ expands on the basic model by segmenting the incoming traffic. For example, traffic destined for the public DMZ is transmitted through a tunnel terminated at the IP address of 10.1.1.1, while traffic destined for the private network is distributed through a tunnel terminated at 10.1.1.2. At no point is the tunnel traffic mixed. Because the VPN traffic is being handled by different encryption engines, performance degradation on one segment won't affect traffic on the other segment.
Of course, this model could easily be accomplished with two cIPros--though at a higher cost. (Keep in mind that you will need two public addresses to serve two DMZs.) Other configuration methods are also available. I set up the cIPro-DMZ as both a VPN and a firewall. In this scenario, I configured one cIPro as a VPN and the second VPN as a firewall (see the diagram "VPN + Firewall," at left).
During testing, I connected the VPN's private interface to the firewall's public interface. With this configuration, I segmented both the VPN and firewall functionality, as well as the management. This allowed me to configure the VPNs, adding and deleting tunnels as necessary, while controlling access to the internal network through the firewall. The benefit of this configuration is a single point of administration for the VPN and the firewall.
Individual Initializing With two cIPro gateways in the cIPro-DMZ, I had to initialize each device individually--a fairly tedious task that requires inserting a hardware token and manually entering a secret key. Once that's completed, the cIPro is ready to obtain its profile from the cIPro-CA certificate authority.
When I launched a Hewlett-Packard Co. HP OpenView-based management application, I was presented with three icons--one for the cIPro-CA and one for each cIPro. I then had to configure each unit in the Secure DMZ individually, which creates an opportunity for misconfigurations. For example, if I wanted to manage a server on the Public DMZ from the private network, I would have had to add rules to enable access in two places. If RADGUARD had integrated the cIPro-DMZ's management into a single unit, then those two rules could have been combined into one.
Send your comments on this article to Mike Fratto at mfratto@nwc.com.
|
|
|
|
Other Sneak Previews
ArrowPoint CSS-100 Switch: Layer-by-Layer Load-Balancing
By Joel Conover
Marketwave Hit List Enterprise 4.0 Tops Log-Analysis Charts
By Jeffrey Rubin with Ricardo Reimundez
On Line Only
Global Dispatch Juggles Site Workloads
By barry Nance
Company
Directoryto browse our data, starting with a particular company.
Network Computing Linksallows you to request additional product information from our advertisers.
 Print This Page
 E-mail this URL
|
our customizable newsletter, sends you security alerts, product updates and software patches on the products you use. Sign up now at 
REPORTS
ANALYTICS
Follow 
