Virtual privacy: Eight VPN appliances tested

If you are in the market for a VPN, don't go past this review. We test the latest appliances and provide tips on purchasing and setting it up.



special report If you are in the market for a VPN, don't go past this review. We test the latest appliances and provide tips on purchasing and setting it up.


Contents
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

A VPN is a virtual private network, which is basically a private tunnel that connects two networks through a public network (usually the Internet). VPNs have been used to replace owned or leased lines so that a company can share the same capabilities but at a lower cost by using a shared public network.

A VPN works by encrypting data before sending it across a public network and decrypting it at the receiving end. Security features differ from product to product, but VPNs generally include encryption, authentication of remote users or sites, and mechanisms for disguising information about the private network from the public network. VPN functionality is often part of a firewall, so many of the appliances tested in this review include varying amounts of firewall functionality.

For this review we look at eight VPN appliances from the following vendors: Cyberguard, Fortinet, Juniper, Netgear, Nortel Networks, SonicWall, Symantec, and Watchguard.

How is the Data Secured?
The IPSec protocol suite provides a complete secure communications suite; with authentication, integrity, and confidentiality, and makes key exchange practical even in larger networks.

Generally speaking, with IPSec-compliant products you can build a secure VPN in any existing IP-based network.

We did however encounter a few problems trying to create a tunnel between two sites using two different VPN appliances. We imagine that this sort of thing would be happening out in the field as well. Ideally you would use appliances from the same vendor as it makes life so much easier.

IPSec also handles the encryption at the packet level. The protocol it uses is called ESP. ESP supports pretty much any kind of symmetric encryption. The default standard built into ESP that assures basic interoperability is 56-bit DES. Most of the appliances tested are capable (and were tested at) triple DES.


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Setting up a VPN

VPNs can be difficult to install even when you have previous experience. There is a variety of sklls required, from networking (TCP/IP) to general security, firewalls, and the VPN specifics. The best way forward is often to have your reseller configure everything for you, and teach you along the way, then get some further training.

An unmonitored VPN/firewall is little better than no VPN/firewall at all. You need to be watching the logs and keeping an eye on what is happening inside and outside your network. All the units except the Watchguard used a browser-based client to configure and monitor the appliance, while the Watchguard uses a proprietary application.

A well-designed VPN can greatly benefit a company. For example, it can:

  • Extend geographic connectivity

  • Improve security

  • Simplify network topology

  • Provide global networking opportunities

  • Provide better ROI than traditional WAN

Things to look out for

  • Security. Most units use 3DES standard encryption which is pretty difficult to break.


  • Number of VPN connections. The unit must be able to support the required number of VPN connections.


  • Speed. Can the unit keep up? We found that over 100Mbps connection the speed was about 1/6 to 1/10 of the wire speed.


  • Standards/ Interoperability. What standard does the unit meet, and how well does it interoperate with other units that you may use, or your business partners may have?


  • Ease of Setup/Management. Some of these units are very difficult to setup, and shouldn't really be attempted by someone without a lot of experience. Better still, have your reseller configure everything for you.


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Netgear FVL-328

The Netgear FVL-328 was submitted a few months ago as part of our annual firewall review. So this time around we were primarily interested in how well this unit stacks up as a virtual private networking device.

On the front of the unit were a total of 20 LEDs which show the status of, power, test, WAN link (speed, link/activity) and the speed and link/activity of the eight trusted network ports. On the back was a single WAN/Internet connection port and eight local 10/100M network ports as well as a power connector.

The setup of the Netgear was quick and easy. The configuration was not as comprehensive as some but it certainly provides adequate protection for small businesses. And the eas-to-follow built-in guides would allow most moderately experienced technicians to configure the unit. While not as scalable as some of the other solutions on offer it would still be a good economical start down the security/ VPN path for most businesses.

Product FVL328
Price AU$1069
Vendor Netgear
Phone 1800 502 061
Web www.netgear.com.au
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Very good levels of expansion ability available.
ROI
½
On a par with similar competiton, certainly well priced for small business.
Service
Three-years limited warranty and support.
Rating
½
Netgear FVL-328


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

CyberGuard SG575

The Cyberguard unit was by far the smallest unit tested. On the front of the unit were eight LEDs showing activities while on the back was a single Internet or untrusted network port, single LAN trusted port, DMZ port, serial COM port, a power input, and a reset button. On the base of the unit were two mounts that can be used to secure the unit.

The setup of this unit was straightforward and had us up and running in less than five minutes. Most of the credit can be given to the Quick Install Guide which explains how to setup a VPN tunnel step by step.

The unit also comes with a good set of features including intrusion detection (SNORT), automatic fail-over, load balancing, Web cache (SQUID), and DMZ support.

Product CyberGuard SG57
Price AU$1829
Vendor BAX IT SERVICES Pty Ltd
Phone 02 9922 2355
Web www.baxit.com.au
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Very good levels of expansion available, very easy to deploy.
ROI
Moderately priced for the features.
Service
One-year warranty (standard), optional four-year warranty. 30-day installation support, one-year e-mail support, optional annual support.
Rating
CyberGuard SG575


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Juniper NS-5GT

We received two units from Juniper, the NS-5GT and NS-25. Both of these units were still labelled as Netscreen units even though Juniper now owns Netscreen. We only tested the NS-5GT and used the NS-25 as the head-end device and to sort out issues in the test bed.

The front of the NS-5GT has no ports, just 12 LEDs, 10 of these LEDs show the link/activity and 10/100Mbps connectivity of the four trusted and one untrusted network ports. The other two LEDs show power and status.

The rear of the unit has the Kensington lock physical security feature, an earth/ground screw point, a power input, a recessed reset button, console port, serial modem port, and five network ports -- four of which are trusted and one of which is untrusted. The base of the unit included two slotted mounts suitable for secure desk or wall mounting.

The initial configuration was relatively simple while the setup of a tunnel took us a lot longer than expected only because the GUI wasn't as intuitive as some of the others. But once you get use to it, you can actually get things done very quickly.

The Juniper NS-5GT also offers firewall protection, as well as Web filtering, antivirus scanning, and a whole heap of other optional extras, however you have to pay extra for access to those.

Product NS-5GT/ NS-5GT ADSL
Price AU$929/AU$1073
Vendor Juniper Networks
Phone 02 8913 9800
03 9655 8300
Web www.juniper.net
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Number of tunnels supported is low.
ROI
On a par with similar competiton, certainly well priced for small business.
Service
One-year warranty and support.
Rating
Juniper NS-5GT


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Fortinet FortiGate-60

The FortiGate-60 is suited for small offices that features dual WAN links for redundant Internet connections, four internal network ports, DMZ port, two USB ports, a serial Console port and power connector. On the front were 16 LEDs that display the status of all the connections.

The Web-based interface looked very similar to that of the SonicWall and was just as easy to configure. Besides providing secure communications tunnels between networks the unit does Web content filtering, firewall protection, dynamic intrusion detection and prevention, and network-based antivirus.




Product Fortigate 60
Price AU$1300
Vendor Fortinet
Phone 02 8923 2555
Web www.fortinet.com
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Very good levels of expansion ability available.
ROI
On a par with similar competiton, certainly well priced for small business.
Service
One-year warranty and support.
Rating
Fortinet FortiGate-60


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Watchguard Firebox 1000

This red eye-catching unit is of metal construction was one of the only two units submitted that were rack mountable. Suited for mid-sized businesses or branch office, the Firebox 1000 has a large LCD on the front with four buttons for configuring the unit, 14 LEDs, 12 of which show either 10Mbps or 100Mbps connectivity for each of the six network ports. The other two LEDs show power and arm/disarm status. There are six network ports also on the front of the unit one of which is marked as external.

There is a console port on the front and a large flap/cover that opens to reveal a nifty removable 3.5in HDD bracket for future expansion. The rear of the unit has a power connector and a power switch. The installation is a little different to the other units on test in this review in that the operator must first load the application software onto a designated firewall administration system.

Once installed the software takes the user through a series of questions and uploads the configuration file straight to the firewall.

This is followed by a system reboot. The Administrator can then open the Firebox System Manager and connect to the IP address of the unit, then view its status etc. When you get to there you still have to configure the VPN tunnel. Setting this up is pretty much the same as with many of the other units.

You still have to set up your Phase 1 and Phase 2 settings and the only difference was the overall look and feel of the interface.

This whole process from start to finish took us somewhat longer than it did with the other units but we were still quite happy since it's quite an advanced unit.

The unit also provides firewall security, real-time monitoring and graphs that can be generated on a range of criteria. You can also buy several optional products that can further enhance the Firebox like WebBlocker which does content filtering, SpamScreen which screens junk e-mail and virus scanning.

Product Firebox X 1000
Price AU$5060
Vendor WatchGuard Technologies
Phone 02 8912 2199
Web www.watchguard.com
 
Interoperability
Excellent interoperability, functionality and ports. No Web-based interface.
Futureproofing
½
Excellent levels of expansion available.
ROI
½
Good price for the level of this product.
Service
One-year warranty and support.
Rating
½
Watchguard Firebox 1000


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Symantec Gateway Security 460

The Symantec 460 is a multifunctional firewall/VPN appliance that would suit small branch offices. It unit has seven LEDs located on the front of the unit with small icons resembling who knows what. There really ought to use better icons or, better still, text. On the back were eight local network ports,two WAN ports, Serial port, power connector, and power button. On the right-hand side was a Cardbus WLAN slot.

We initially had issues connecting this device to the NS-25 and we were almost going to give up on it. It wasn't that the browser-based interface was hard to use, nor were the instructions in the manual hard to follow. The logs didn't indicate where the error was coming from which made it even more difficult to pinpoint where the problem was. After some trial and error we ended up getting the tunnel up and running.

Another issue we had with it was when we changed the system settings it would always have to reboot to make the changes effective. It wasn't quick to reboot either. The unit also forces you to use a minimum 20-digit pre-shared key which is not a bad thing since on some of the units you can get away with using only a five-digit key.

The unit integrates a firewall with antivirus policy enforcement, intrusion detection and prevention, as well as content filtering. It can also provide wireless LAN protection with an access point option.

Product SGS 400
Price from AU$899
Vendor Symantec
Phone 1800 680 026
Web www.symantec.com.au
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Very good levels of expansion available.
ROI
½
On a par with similar competiton, certainly well priced for small business.
Service
One-year warranty and support.
Rating
½
Symantec Gateway Security 460


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Nortel Networks Contivity 1100

The Contivity 1100 was designed with small sites in mind. The Contivity has five LAN ports on the front, each with speed and link/ activity lights (four of which are trusted and one untrusted). There is also an RJ-45 console port with ready/boot and alert indicators. There were also options on the front for an additional 10/100 RJ-45 port, and single-port V.35/X.21 or T1 with integrated CS+B41U/DSU orV.90 dial modem.

On the back was a power connector, power switch and power indicator as well as a ground screw. Underneath the unit were five screw slots which you can secure the unit to a base.

The unit was relatively straight forward to install. It came with good documentation which made our life a lot easier. The unit by default can support up to 10 tunnels with a maximum of 30 -- this is a little on the low side.

The unit also offers firewall protection, QoS and bandwidth management but you have to purchase an extra license to enable the later.

Product Contivity 1100
Price

US$1499
(approx. AU$2001)

Vendor Nortel Networks
Phone

1800 NORTEL
(1800 667835)

Web www.nortel.com
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Very good levels of expansion available.
ROI
½
Moderately priced for the features.
Service
One-year, 90 day software support.
Rating
½
Nortel Networks Contivity 1100


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Sonicwall Pro 2040

The SonicWall along with the Watchguard were the only rack-mountable appliances.

The SonicWall unit is suited for small- to mid-sized networks with up to 200 nodes. On the front were four 10/100Base-T Ports (1 LAN, 1 WAN, 1 DMZ, 1 Inactive with SonicOS Standard/ 1 WAN, 1 LAN, 2 Configurable with SonicOS Enhanced). Also found on the front are power, test, and alarm indicators as well a console port. At the rear of the appliance was where you would power the unit.

The Web-based interface looked very similar to that of the Fortinet. Most likely Fortinet would have taken a page out of Sonicwall's book. The configuration of this unit was also very easy. The SonicWall can do a whole list of other things including deep packet inspection, intrusion prevention, content filtering, load balancing and reporting. The SonicWall also managed to record the fastest throughput out of all the units tested.

Product Pro 2040
Price

US$3495
(approx AU$4665) as supplied with Enhanced Operating System

Vendor SonicWall
Phone

02 9267 7883
03 9699 1978

Web www.sonicwall.com
 
Interoperability
Very good interoperability and functionality and ports.
Futureproofing
Excellent levels of expansion available.
ROI
½
Good price for the level of this product.
Service
One-year.
Rating
½
Sonicwall Pro 2040

Specifications

Product Contivity 1100 CyberGuard SG575 Firebox 1000 Fortigate 60
Company Nortel Networks BAX IT SERVICES Pty Ltd Watchguard Technologies, Inc Fortinet
Price (inc GST) US$1499 US (approx AU$2001) AU$1829 AU$5060 AU$1300 includes first year's maintenance, AV and IPS updates
Warranty 1 year, 90-day software support 1-year warranty (standard), optional four-year warranty. 1 year 1 year
Certifications Common Criteria ELA4, DSD ISCA, VPNC, VPNC ICSA IPSEC and firewall, EAL4 due for completion early 2005 ICSA
Encryption standards supported DES, 3DES, AES, RC4 DES, 3DES, AES DES, 3DES (AES in Hardware) DES, 3DES, AES128, AES192, AES256
Ethernet ports internal 4 1 or 2 5 4
Ethernet ports external 1 1 or 2 1 2
Other Ports Optional additional 10/100BaseT Ethernet Single-port V.35/X.21 T1 with integrated CS+B41U/DSU V.90 dial modem Serial Serial, HDD bracket 1 x DMZ
Reporting methods (log, email notification, custom tools) Internal Log, SYS, SNMP, Syslog, e-mail for some functions, SNMP, Cerberian Log, e-mail, custom tools Internal & external logging, Alert e-mail, SNMP traps
# tunnels 30 400 1500 40 dedicated, unlimited from VPN client
VPN 3DES speed (Mbps) 15Mb/s 20Mbps 75Mbps 20Mbps
Target market SOHO/SME SME SME SOHO and SMB
Other features   SNORT, SQUID, NASL. Deep packet inspection, intrusion prevention, spam filtering, Web blocking, gateway AV, model upgradeability ASIC based, integrated stateful firewall, AV, antiSpam, intrusion prevention, content filtering, traffic shaping, 802.1Q VLANs, high availability, L2TP & PPTP VPNs, quad ICSA certified


Product FVL328 NS-5GT/ NS-5GT ADSL Pro 2040 SGS 400
Company Netgear Juniper Networks SonicWall Symantec
Price (inc GST) AU$1069 AU$927/ AU$1073t US$3495 (approx $4665 AUD) as supplied with Enhanced Operating System from AU$899
Warranty 3-years limited 1 year 1 year 1 year
Certifications ICSA, VPNC ICSA firewall and VPN ICSA NA
Encryption standards supported DES, 3DES DES, 3DES, AES DES, 3DES, AES DES, 3DES, AES
Ethernet ports internal 8 5 (+ 1xADSL) 1 8
Ethernet ports external 1 software configurable 3 (configurable) 2
Other Ports 8-Port 10/100 switch Console, modem Serial Serial, dip switches
Reporting methods (log, email notification, custom tools) Syslog Syslog (up to 4 servers) e-mail (2 addresses) NetIQ Webtrends SNMPv2 Traceroute Syslog, local log, SNMP trap, e-mail, Global Management System (GMS) Syslog
# tunnels 100 up to 10 max 100 50*
VPN 3DES speed (Mbps) 15.7Mbps 20Mbps 50Mbps 35Mbps
Target market SOHO and Corporate Remote office SOHO, SMB Small- to mid- sized networks (up to 200 nodes) SME
Other features High-speed 150-MHz CPU for fast tunnelling throughput. True firewall with stateful packet inspection (SPI) and intrusion detection denial of service (DoS) attack protection. Stateful firewall (2000 sessions), Network/Port Address Translation, IPSec NAT Traversal Redundant VPN Gateways VPN Tunnel Monitoring OSPF, BGP, RIPv2, Static Routes, and more Enhanced OS (as supplied) provides wireless access with Sonic Points (IPSEC enforcable), Wireless Guest Services.Plus optionals. Firewall anti-virus Policy enforcement intrusion detection/ prevention content filtering hardware add-on wireless LAN access point


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

How we tested

Interoperability
Web-based interface, ability to connect to other VPNs, number of trusted WAN and Ethernet ports.

Futureproofing
Encryption support, number of VPN tunnels supported and speed, extra features, such as AV scanning.

ROI
What kind of functionality do you get for your money?

Service
What is the duration of the service and availability from the vendors?





We tested the VPNs for the Scenario by setting up a network as follows:

  • Client system A with address: 192.168.2.1

  • crossover cable

  • VPN device 1

  • private address 192.168.2.254

  • public address 144.205.26.201

Switch:
  • VPN Device 2

  • private address 192.168.1.254

  • public address 144.205.26.200

  • crossover cable

  • Server A with address 192.168.1.1

Product Cyberguard Fortinet Juniper Netgear Nortel SonicWall Symantec Watchguard
Lots of small 37 30 31 37 33 23 27 28
Medium 20 11 11 22 20 10 18 11
Large 117 62 60 127 116 66 103 64
Total Time 174 103 101 185 169 99 148 103
Speed in Mbit/Sec 9.58 16.26 16.53 9.00 9.86 16.80 11.29 16.17


We then created a VPN tunnel between the two networks with Network Address Translation (NAT) so that the clients could all see each other. The VPN was Triple DES SHA1. We then mapped a drive from Client A to Server A and transferred three file sets to the server to give a representation of the VPN speed in Mbits/sec. The Juniper NS25 was used as the head end.


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

Sample scenario

Scenario: This company wants to use a standard Internet connection to connect to a supplier in order to integrate with the supplier's ordering systems.

Approximate budget: No limit.

Requires: A VPN appliance.

Concerns: The company has no control over the supplier's end of the connection, so interoperability with other vendors' products is vital. Security is very important as well as data throughput.


Final words
The results of our performance tests show SonicWall to be the fastest unit of the bunch. However, it was only marginally faster than the Juniper, Fortinet, and Watchguard products.

With not much in it in terms of throughput we suggest you look at what's most important to you like the number of tunnels, other features like content filtering, antivirus, and price.


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

T&B Editor's choice
Editor's choice
Watchguard Firebox 1000
Juniper NS-5GT


The winners of the scenario and Editor's Choice are Watchguard and Juniper. If we had an open budget we would go for the Watchguard Firebox 1000. It can serve the most tunnels, it has a great set of features including deep packet inspection, intrusion prevention, spam filtering, Web blocking, and gateway antivirus. It also performed well in our throughput tests.

The Sonicwall also deserves an honourable mention here as it was only narrowly beaten by the Watchguard. For more of an entry-level VPN device we recommend the Juniper. It's very cheap, it works well but it's limited to only 10 tunnels.

This article was first published in Technology & Business magazine.
Click here for subscription information.


Contents
Introduction
Setting up a VPN
Netgear FVL-328
CyberGuard SG575
Juniper NS-5GT
Fortinet FortiGate-60
Watchguard Firebox 1000
Symantec SGS 460
Nortel Contivity 1100
Sonicwall Pro 2040
Specifications
How we tested
Sample scenario
Editor's choice
About RMIT

About RMIT IT Test Labs

RMIT IT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All