Want to put a VPN or firewall on your network card? A new class of product handles all the processing, keeping your server free to do the hard work. Virtual Private Networks (VPNs) have seen boom times since the focus has been turned up on the lack of security in transmitting data on the Internet. With a host of readily available packet sniffing applications on the market, virtually no transmissions can be classified as secure unless they are encrypted prior to being sent. Even then, in some cases, even transmissions can be captured and with some expertise decrypted--if the cracker has enough incentive to do so. To achieve the best possible security currently available, one of the most popular technologies currently implemented is VPNs.
A VPN is either a software or hardware solution that creates an encrypted data tunnel across an unsecured network such as the Internet or a wireless network. Once created, this tunnel is essentially a point-to-point connection, despite running through many routers and different telecommunications equipment and links Technically, the only equipment that can access the encrypted data on that link is the equipment on each end.
VPNs can be run either as software on a server or PC, or offloaded to a dedicated hardware device. Most security-minded IS Managers would generally opt for a hardware VPN solution over a software VPN solution due to the potential resource performance hit associated with encrypting and decrypting the data that is transmitted and received.
The majority of VPN/firewall hardware solutions are generally standalone appliances that look very similar to switches or routers. However, in recent months, a new class of product has emerged--firewall/VPN network cards. These are PCI or PCMCIA network cards that you would install in a single server or PC that handle the encryption and processing for running a firewall and VPN, and can be configured remotely.
Why would you want to do that?
For example, think about the link between the file server and the database server. If this link was running a VPN, effectively that would stop any external or even internal compromises via your corporate LAN infrastructure on the all-important database server, while still allowing the file server access to your data store. This is just one of many different uses for a VPN on an internal network.
Most people are now familiar with the concept of firewalls and the levels of security that they provide, whether they are personal desktop software firewalls such as ZoneAlarm or larger enterprise level firewalls like the Watchguard Fireboxes. A firewall is designed to block traffic both outbound and more importantly inbound on a range of IP addresses and/or computer ports. This gives the administrator extreme levels of control over the data that is potentially publicly available from any given system behind the firewall. There is also an area within a LAN or firewall that is classified as a demilitarized zone (DMZ). The DMZ is an unsecured area used for the company's publicly accessible services such as Web and e-mail servers.
To test the firewalling capabilities of these cards, we used NMAP, which is a port scanning tool that checks IP addresses for open ports and therefore potential access points for hackers to exploit and gain access to the system. All cards that supported the firewalling options provided excellent control for allowing and denying access to ports. Some even allowed the administrator to set the firewall configuration to open and close access to ports during set time periods, for instance, to open a specific port between the hours of 8am and 6pm Monday to Friday to allow telecommuters access to their data during operating hours only.
The vendors that submitted products for this review are 3Com, Netmaster and 14 South Networks (previously known as OmniCluster). Other vendors that make similar products include Intel and Brisbane-based SnapGear, who were unable to submit products for the review.
Amongst the products 3Com submitted a PCMCIA VPN card for a notebook. This may provide a valuable addition to your mobile resources if you needed to have portable security to transfer encrypted data to and from a remote site. Establishing a VPN this way would remove some of the resource overheads associated with software VPN solutions, particularly as most notebooks are relatively low-powered compared to desktops and servers. It would also reduce costs, as any Internet connection could be used instead of dialling in to establish a point-to-point connection, and would prevent having to suffer the slow speeds of a 56Kbps or worse modem connection. And finally if a VPN over the internet was the only solution to get the data through securely from a remote site via a notebook, the PCMCIA card fits neatly in your notebook and saves having to carry a separate VPN router around just to connect securely.
14 South Networks IntraLock 10-1/DL
In one of those bizarre rebranding incidents, the company formerly known as OmniCluster recently renamed itself 14 South Networks. Its product names were also re-jigged, and the SlotShield SSS 10 DL is know known as the IntraLock 10-1/DL. If you're wondering what happened to Omnicluster, now you know. We hope it makes sense to someone in 14 South Networks' marketing department, at least.
The IntraLock 10-1/DL is the big kahuna when it comes to VPN/firewalls on a card. It has 512MB of RAM, a Pentium III processor, and three 10/100 NICs all on board. It is a full length card, so before committing to this unit you will need to ensure that the server has enough space, particularly if it is rack mounted. It is designed primarily to secure an individual server, and depending on the model of IntraLock card that you purchase it will support between 10 and 30 concurrent VPN tunnels.
Once the card was physically inserted into the system and the server booted, the software installation went surprisingly well and the online guides and wizards were very detailed. The setup procedure creates a virtual disk image, which the Interlock actually boots itself from. The IntraLock then opens its own virtual console window on the desktop and boots its disk image from your PC's hard disk. The IntraLock runs a hardened version of Red Hat Linux. Once Linux has booted on the IntraLock you are then presented with the Network Configuration tool.
This tool steps you through the basic configuration of the card, including the reconfiguration of the root and fwssh passwords, the addition of another user, and the configuration of the three onboard NICs. The configuration then passes to another window where you can set up further administrators and specific IP addresses that are allowed to run administration for the firewall. You can then load the Check Point SMART clients feature pack on your server, should you choose. This client software can also be loaded on any of the systems that you configured to act as administration consoles earlier.
All in all the IntraLock device is the only unit in this review with all the bells and whistles that you could wish for in a Firewall/VPN device that fits inside a system. Keep in mind that all that research, development, and production also cause it to carry the highest price tag. The decision to go for this unit or an external unit would be borderline.
Operates on a wide range of platforms due to onboard virtual PC hardware, also supports a wide range of security standards.
Futureproofing:
Gigabit support would have been nice, firmware is upgradeable for future features.
ROI:
Comparable to an external firewall with similar features.
Service:
½
1-year warranty is a bit limited.
Rating:
NetMaster GG-Blade
The NetMaster GG-Blade is a very different kettle of fish than the 3Com products and much closer to 14 South Networks card (the GG stands for Gateway Guardian). The 3Com cards are designed as NIC replacements to provide better-than-normal internal security for servers and workstations by creating internal VPNs and offering some firewalling functionality, with limited emphasis on external security measures. Both the NetMaster and 14 South products, on the other hand, aim to supplement or even replace external firewall and VPN appliances.
This product looks like a PC on a card than a component card; it incorporates a Transmeta Crusoe TM 3200 CPU, 128MB of memory, and Realtek 8139C NICs onboard. While slightly larger than your average PCI card, it still retains quite a small form factor though and should fit in most systems.
The card has two network ports: one to act as the interface with the trusted network (LAN or internal), and one to interface with the untrusted network (WAN or external). Alternatively, if you want to secure the local system from the rest of your LAN, then you can use a crossover cable to connect the standard NIC inside the PC to the LAN port and thereby protect the system from the LAN.
Once installed and detected, the next step is to install the NetMaster Centralized Security Management (CSM) console. This is a Java-based administration and configuration utility, providing the administrator with full access to a wide range of configuration and monitoring tools. This interface is very well presented and the design--for what is technically quite a complex piece of equipment--is executed to perfection.
Overall this card is a very powerful tool and acts very well as a dedicated firewall/VPN device. The implementation of the CSM software is the key to its success. For ease of use as an SME firewall/VPN solution, the NetMaster GG-Blade it would be hard to pass over. It should also be noted that a similar solution is also available from NetMaster in an external appliance configuration called the GG-Ext.
NetMaster is seeking a distributor in Australia but doesn't currently have any local representation, so you'll have to buy it from overseas. This means support is not available at convenient times.
½
Limited to Microsoft platforms, but a wide variety of security standards.
Futureproofing:
Gigabit support would have been nice, firmware is upgradeable for future features.
ROI:
½
Well priced considering the features, but not as full-blown as the IntraLock.
Service:
1-year warranty is a bit limited, but extended service contracts are available.
Rating:
½
3Com
3Com submitted three products: the first two are very similar--they both look virtually identical except for their identification labels and model labels. These cards are much like network interface cards (NICs) and are in-fact designed as NIC replacements. The third product, as mentioned already, is a PCMCIA-type notebook adaptor which ships with a dongle for the RJ45 connection.
First we installed the 3CRFW300 Firewall Server PCI card, which is designed to operate with the 3Com embedded firewall policy server application (sold separately). While the policy server is required for configuration and management, this is not a software-based VPN; the processing is handled by the onboard 3XP processor onboard (ARM RISC based) that works in conjunction with the application. As its name suggests, this card is designed primarily as a firewall solution for servers.
When the system is first booted with this card in place, Windows 2000 Server automatically detects that the card has been installed and quickly finds the correct driver on the CD ROM provided; you can load the drivers and 3Com diagnostic software directly from the CD too. Once that is complete, you can install the 3Com Embedded Firewall. This application installs both the Policy Server and the Management Console. Once the application is installed and launched, you can set up a new policy domain or join an existing one. After you select the options specific to your environment, the system starts the policy server running though a brief checklist including database connection, certificate server startup, replication threads, network threads, admin threads, and server synchronisation. You can then launch the main 3Com MMC embedded firewall management console.
From the management console, you can find embedded firewall devices and enter the licencing key information to activate the products. Once activated you can select and setup your firewall security policies.
The management tool is very powerful and you must be careful when you use it; once you have registered any Embedded Firewall Devices (EFD) and set up your policies, the cards themselves are firmware encoded and will only respond to that particular firewall domain and management utility. If the server running the utility crashes, the cards will default to their unmanaged settings.
The second card from 3Com was the 10/100 Secure NIC 3CR990-TX-97. This card is designed to replace your standard desktop PC NIC and provide secure end-to-end VPN tunnelling via your LAN or WAN. The card looks is virtually identical to the 3CRFW300. It even uses the same 125Mhz RISC based 3XP Security processor chip from Agere that offloads the encryption processing from the system hardware to this dedicated chip which 3Com claims is up to 5 times faster than a software solution.
Installation was slightly different to the server card as you need to perform a pre-installation setup before physically installing the device in your system. Once it was installed, the software detected and ran the card correctly. Once the card drivers are installed and running correctly, you can load 3Com Dynamic Access software that comes bundled with this NIC.
The Dynamic Access software integrates very well in the background and basically adds another protocol to the normal Windows networking environment. It is controlled and configured entirely via the dynamic access properties under the Windows network resources. This utility gives you access to creating and managing virtual LANs, load balancing multiple NICs, and also failover for multiple NICs.
The third card we looked at was the PCMCIA Firewall PC Card 3CRFW102. This is a most interesting card providing hardware Firewall and VPN capabilities to notebooks. Primarily this would be used from remote locations or in secure office environments. The 3Com Firewall Policy Server includes options for roaming users and allows you to set up separate policies for these mobile device cards. For example, you could allow office and home access with different security levels at both points, and obviously different IP characteristics.
We installed this card into an Acer notebook running Windows XP Pro. We then loaded the 3Com PC Card software directly from the driver/software CD provided in the package from 3Com. 3Com provides a very handy utility called the Mobile Connection Manager that allows you to setup and select multiple different network configurations for the adaptor. This is extremely useful for workers who are often moving between different locations and physical networks each with their own particular unique settings and requirements.
The card configuration itself via the application is very straightforward, particularly the firewalling allow/deny aspects. Once completed, you are ready then to test your network settings and connect to your chosen network with the firewall and VPN options that you configured. The beauty of this is that you can set up many different connections and have all the data stored for whenever you are connecting to those different networks. You can also change your security levels on the fly simply by switching from one network configuration setting to another with weaker or stronger access rules. So not only would this card suit the secure roaming staff member, it would also be a powerful network tool for technicians within a widespread company with many geographic sites to cover.
As with other 3Com products we have reviewed in the past, 3Com seems to design and manufacture IT devices with a lot of in-built features and flexibility, however the implementation, administration, and usability are far more complex than they really need to be.
Another point to remember is that these devices are mostly proprietary to 3Com and require other 3Com products to operate to their featured potential. Some features that are advertised do not interoperate well, if at all, with some other brands of networking and security products. This is not necessarily a bad thing, as it allows 3Com to build in more features that certainly would not be possible in an open environment. However, if your enterprise already includes other vendors' products and you are looking at introducing some 3Com equipment, ensure beforehand that the features you are implementing are not proprietary to 3Com products only.
3Com Embedded Firewall Policy Server (sold separately), SNMP
3ComÃ,®Embedded Firewall Policy Server (sold separately), SNMP
3ComÃ,®Embedded Firewall Policy Server (sold separately), SNMP
Concurrent VPN tunnels
10
No Fixed Limit
N/A
N/A
N/A
VPN DES speed (Mb/sec)
50Mbps
N/A
N/A
N/A
N/A
VPN 3DES speed (Mb/sec)
40Mbps
7.4Mbps
95Mbps
95Mbps
95Mbps
VPN AES speed (Mb/sec)
80Mbps
11.6Mbps
N/A
N/A
N/A
OS supported
Windows 2000, 2003; RedHat Linux 7.1+, FreeBSD, Solaris, and others
Windows 98, ME, NT, 2000, XP
Embedded Firewall: Windows XP, 2000, 98, NT4.0. Network Card"others
Windows XP, 2000, 98, NT 4.0
Windows XP, 2000, 98, NT 4.0
Scenario
Company: Lippi Cosmetics
This company wants to ensure connections between its business-critical servers are encrypted using a VPN.
Approximate budget: Open
Requires: Four VPN network cards.
Concerns: The technical staff want to make use a solution that minimses the load on the servers' processors and is easy to manage.
Best solutions: Overall the 14 South Network IntraLock 10/1-DL wins due to its versatility and powerful feature set, while still able to retain a very user friendly installation, configuration, and administration sequence. An honourable mention however must also go to the 3Com 3CRFW102 PCMCIA Card, which although inappropriate for this purpose, is a very useful product in its own right.
Encryption standards
There are several encryption algorithms utilised by VPN vendors; the most common two are IP Security (IPSec) and Triple Data Encryption Standard or 3DES. The emerging Advanced Encryption Standard (AES) has recently been approved by the US National Institute of Science and Technology (NIST) as a replacement for DES, so AES may be popping up in more and more security products.
Interestingly, the GG-Blade from NetMaster also supports both the TwoFish and Serpent encryption protocols. Twofish, according to the Counterpane Web site is "a block cipher by Counterpane Labs. It was one of the five Advanced Encryption Standards (AES) finalists. Twofish is unpatented, and the source code is un-copyrighted and license-free; it is free for all uses." According to the University of Cambridge UK Computer Lab Web site, "Serpent is much faster than DES. Its design supports a very efficient bitslice implementation, and the current fastest version runs at over 45 Mbps on a 200MHz Pentium (compared with about 15 Mbit/sec for DES)."
It must be noted however that although both Serpent and TwoFish were contenders (coming second and third respectively), in the five encryption protocols reviewed for implementation as part of AES by NIST neither of them came first. The winner was the Rijndael protocol which is reportedly faster than--but not as secure as--Serpent.
Final Words
The cards we received for this review were all quite different, which goes to show that vendors are now really focusing on providing specific solutions for companies' problems that are very focused on specific target markets. 3Com impressed us with its PCMCIA Firewall/VPN card with its very useful mobile connection management application, which allows administrators to define multiple network environments, configurations, firewalls, and VPNs to suit their mobile/portable needs. The NetMaster GG-Blade had a perfectly versatile small-scale VPN/Firewall on a card that would be perfect for securing a small branch office WAN/LAN connection without the fuss and need for a external VPN/Firewall appliance. If you are looking for the big gun in an easy to set up, configure, and administer package, you would be very hard pressed to overlook the 14 South Network IntraLock 10/1-DL.
Subscribe now to Australian
Technology & Business magazine.
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own--only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.
