Generally speaking, with IPSec-compliant products you can build a secure VPN in any existing IP-based network.
We did however encounter a few problems trying to create a tunnel between two sites using two different VPN appliances. We imagine that this sort of thing would be happening out in the field as well. Ideally you would use appliances from the same vendor as it makes life so much easier.
IPSec also handles the encryption at the packet level. The protocol it uses is called ESP. ESP supports pretty much any kind of symmetric encryption. The default standard built into ESP that assures basic interoperability is 56-bit DES. Most of the appliances tested are capable (and were tested at) triple DES.
A VPN is a virtual private network, which is basically a private tunnel that connects two networks through a public network (usually the Internet). VPNs have been used to replace owned or leased lines so that a company can share the same capabilities but at a lower cost by using a shared public network.
A VPN works by encrypting data before sending it across a public network and decrypting it at the receiving end. Security features differ from product to product, but VPNs generally include encryption, authentication of remote users or sites, and mechanisms for disguising information about the private network from the public network. VPN functionality is often part of a firewall, so many of the appliances tested in this review include varying amounts of firewall functionality.
For this review we look at eight VPN appliances from the following vendors: Cyberguard, Fortinet, Juniper, Netgear, Nortel Networks, SonicWall, Symantec, and Watchguard.
How is the Data Secured?
The IPSec protocol suite provides a complete secure communications suite; with authentication, integrity, and confidentiality, and makes key exchange practical even in larger networks.
Setting up a VPN
VPNs can be difficult to install even when you have previous experience. There is a variety of sklls required, from networking (TCP/IP) to general security, firewalls, and the VPN specifics. The best way forward is often to have your reseller configure everything for you, and teach you along the way, then get some further training.
An unmonitored VPN/firewall is little better than no VPN/firewall at all. You need to be watching the logs and keeping an eye on what is happening inside and outside your network. All the units except the Watchguard used a browser-based client to configure and monitor the appliance, while the Watchguard uses a proprietary application.
A well-designed VPN can greatly benefit a company. For example, it can:
- Extend geographic connectivity
- Improve security
- Simplify network topology
- Provide global networking opportunities
- Provide better ROI than traditional WAN
Things to look out for
- Security. Most units use 3DES standard encryption which is pretty difficult to break.
- Number of VPN connections. The unit must be able to support the required number of VPN connections.
- Speed. Can the unit keep up? We found that over 100Mbps connection the speed was about 1/6 to 1/10 of the wire speed.
- Standards/ Interoperability. What standard does the unit meet, and how well does it interoperate with other units that you may use, or your business partners may have?
- Ease of Setup/Management. Some of these units are very difficult to setup, and shouldn't really be attempted by someone without a lot of experience. Better still, have your reseller configure everything for you.
The Netgear FVL-328 was submitted a few months ago as part of our annual firewall review. So this time around we were primarily interested in how well this unit stacks up as a virtual private networking device.
On the front of the unit were a total of 20 LEDs which show the status of, power, test, WAN link (speed, link/activity) and the speed and link/activity of the eight trusted network ports. On the back was a single WAN/Internet connection port and eight local 10/100M network ports as well as a power connector.
The setup of the Netgear was quick and easy. The configuration was not as comprehensive as some but it certainly provides adequate protection for small businesses. And the eas-to-follow built-in guides would allow most moderately experienced technicians to configure the unit. While not as scalable as some of the other solutions on offer it would still be a good economical start down the security/ VPN path for most businesses.
The Cyberguard unit was by far the smallest unit tested. On the front of the unit were eight LEDs showing activities while on the back was a single Internet or untrusted network port, single LAN trusted port, DMZ port, serial COM port, a power input, and a reset button. On the base of the unit were two mounts that can be used to secure the unit.
The setup of this unit was straightforward and had us up and running in less than five minutes. Most of the credit can be given to the Quick Install Guide which explains how to setup a VPN tunnel step by step.
The unit also comes with a good set of features including intrusion detection (SNORT), automatic fail-over, load balancing, Web cache (SQUID), and DMZ support.
We received two units from Juniper, the NS-5GT and NS-25. Both of these units were still labelled as Netscreen units even though Juniper now owns Netscreen. We only tested the NS-5GT and used the NS-25 as the head-end device and to sort out issues in the test bed.
The front of the NS-5GT has no ports, just 12 LEDs, 10 of these LEDs show the link/activity and 10/100Mbps connectivity of the four trusted and one untrusted network ports. The other two LEDs show power and status.
The rear of the unit has the Kensington lock physical security feature, an earth/ground screw point, a power input, a recessed reset button, console port, serial modem port, and five network ports -- four of which are trusted and one of which is untrusted. The base of the unit included two slotted mounts suitable for secure desk or wall mounting.
The initial configuration was relatively simple while the setup of a tunnel took us a lot longer than expected only because the GUI wasn't as intuitive as some of the others. But once you get use to it, you can actually get things done very quickly.
The Juniper NS-5GT also offers firewall protection, as well as Web filtering, antivirus scanning, and a whole heap of other optional extras, however you have to pay extra for access to those.
The FortiGate-60 is suited for small offices that features dual WAN links for redundant Internet connections, four internal network ports, DMZ port, two USB ports, a serial Console port and power connector. On the front were 16 LEDs that display the status of all the connections.
The Web-based interface looked very similar to that of the SonicWall and was just as easy to configure. Besides providing secure communications tunnels between networks the unit does Web content filtering, firewall protection, dynamic intrusion detection and prevention, and network-based antivirus.
Watchguard Firebox 1000
This red eye-catching unit is of metal construction was one of the only two units submitted that were rack mountable. Suited for mid-sized businesses or branch office, the Firebox 1000 has a large LCD on the front with four buttons for configuring the unit, 14 LEDs, 12 of which show either 10Mbps or 100Mbps connectivity for each of the six network ports. The other two LEDs show power and arm/disarm status. There are six network ports also on the front of the unit one of which is marked as external.
There is a console port on the front and a large flap/cover that opens to reveal a nifty removable 3.5in HDD bracket for future expansion. The rear of the unit has a power connector and a power switch. The installation is a little different to the other units on test in this review in that the operator must first load the application software onto a designated firewall administration system.
Once installed the software takes the user through a series of questions and uploads the configuration file straight to the firewall.
This is followed by a system reboot. The Administrator can then open the Firebox System Manager and connect to the IP address of the unit, then view its status etc. When you get to there you still have to configure the VPN tunnel. Setting this up is pretty much the same as with many of the other units.
You still have to set up your Phase 1 and Phase 2 settings and the only difference was the overall look and feel of the interface.
This whole process from start to finish took us somewhat longer than it did with the other units but we were still quite happy since it's quite an advanced unit.
The unit also provides firewall security, real-time monitoring and graphs that can be generated on a range of criteria. You can also buy several optional products that can further enhance the Firebox like WebBlocker which does content filtering, SpamScreen which screens junk e-mail and virus scanning.
Symantec Gateway Security 460
The Symantec 460 is a multifunctional firewall/VPN appliance that would suit small branch offices. It unit has seven LEDs located on the front of the unit with small icons resembling who knows what. There really ought to use better icons or, better still, text. On the back were eight local network ports,two WAN ports, Serial port, power connector, and power button. On the right-hand side was a Cardbus WLAN slot.
We initially had issues connecting this device to the NS-25 and we were almost going to give up on it. It wasn't that the browser-based interface was hard to use, nor were the instructions in the manual hard to follow. The logs didn't indicate where the error was coming from which made it even more difficult to pinpoint where the problem was. After some trial and error we ended up getting the tunnel up and running.
Another issue we had with it was when we changed the system settings it would always have to reboot to make the changes effective. It wasn't quick to reboot either. The unit also forces you to use a minimum 20-digit pre-shared key which is not a bad thing since on some of the units you can get away with using only a five-digit key.
The unit integrates a firewall with antivirus policy enforcement, intrusion detection and prevention, as well as content filtering. It can also provide wireless LAN protection with an access point option.
Nortel Networks Contivity 1100
The Contivity 1100 was designed with small sites in mind. The Contivity has five LAN ports on the front, each with speed and link/ activity lights (four of which are trusted and one untrusted). There is also an RJ-45 console port with ready/boot and alert indicators. There were also options on the front for an additional 10/100 RJ-45 port, and single-port V.35/X.21 or T1 with integrated CS+B41U/DSU orV.90 dial modem.
On the back was a power connector, power switch and power indicator as well as a ground screw. Underneath the unit were five screw slots which you can secure the unit to a base.
The unit was relatively straight forward to install. It came with good documentation which made our life a lot easier. The unit by default can support up to 10 tunnels with a maximum of 30 -- this is a little on the low side.
The unit also offers firewall protection, QoS and bandwidth management but you have to purchase an extra license to enable the later.
The SonicWall along with the Watchguard were the only rack-mountable appliances.
The SonicWall unit is suited for small- to mid-sized networks with up to 200 nodes. On the front were four 10/100Base-T Ports (1 LAN, 1 WAN, 1 DMZ, 1 Inactive with SonicOS Standard/ 1 WAN, 1 LAN, 2 Configurable with SonicOS Enhanced). Also found on the front are power, test, and alarm indicators as well a console port. At the rear of the appliance was where you would power the unit.
The Web-based interface looked very similar to that of the Fortinet. Most likely Fortinet would have taken a page out of Sonicwall's book. The configuration of this unit was also very easy. The SonicWall can do a whole list of other things including deep packet inspection, intrusion prevention, content filtering, load balancing and reporting. The SonicWall also managed to record the fastest throughput out of all the units tested.
|Product||Contivity 1100||CyberGuard SG575||Firebox 1000||Fortigate 60|
|Company||Nortel Networks||BAX IT SERVICES Pty Ltd||Watchguard Technologies, Inc||Fortinet||Price (inc GST)||US$1499 US (approx AU$2001)||AU$1829||AU$5060||AU$1300 includes first year's maintenance, AV and IPS updates||Warranty||1 year, 90-day software support||1-year warranty (standard), optional four-year warranty.||1 year||1 year||Certifications||Common Criteria ELA4, DSD||ISCA, VPNC, VPNC||ICSA IPSEC and firewall, EAL4 due for completion early 2005||ICSA||Encryption standards supported||DES, 3DES, AES, RC4||DES, 3DES, AES||DES, 3DES (AES in Hardware)||DES, 3DES, AES128, AES192, AES256||Ethernet ports internal||4||1 or 2||5||4||Ethernet ports external||1||1 or 2||1||2||Other Ports||Optional additional 10/100BaseT Ethernet Single-port V.35/X.21 T1 with integrated CS+B41U/DSU V.90 dial modem||Serial||Serial, HDD bracket||1 x DMZ||Reporting methods (log, email notification, custom tools)||Internal Log, SYS, SNMP,||Syslog, e-mail for some functions, SNMP, Cerberian||Log, e-mail, custom tools||Internal & external logging, Alert e-mail, SNMP traps||# tunnels||30||400||1500||40 dedicated, unlimited from VPN client||VPN 3DES speed (Mbps)||15Mb/s||20Mbps||75Mbps||20Mbps||Target market||SOHO/SME||SME||SME||SOHO and SMB||Other features||SNORT, SQUID, NASL.||Deep packet inspection, intrusion prevention, spam filtering, Web blocking, gateway AV, model upgradeability||ASIC based, integrated stateful firewall, AV, antiSpam, intrusion prevention, content filtering, traffic shaping, 802.1Q VLANs, high availability, L2TP & PPTP VPNs, quad ICSA certified|
|Product||FVL328||NS-5GT/ NS-5GT ADSL||Pro 2040||SGS 400||Company||Netgear||Juniper Networks||SonicWall||Symantec||Price (inc GST)||AU$1069||AU$927/ AU$1073t||US$3495 (approx $4665 AUD) as supplied with Enhanced Operating System||from AU$899||Warranty||3-years limited||1 year||1 year||1 year||Certifications||ICSA, VPNC||ICSA firewall and VPN||ICSA||NA||Encryption standards supported||DES, 3DES||DES, 3DES, AES||DES, 3DES, AES||DES, 3DES, AES||Ethernet ports internal||8||5 (+ 1xADSL)||1||8||Ethernet ports external||1||software configurable||3 (configurable)||2||Other Ports||8-Port 10/100 switch||Console, modem||Serial||Serial, dip switches||Reporting methods (log, email notification, custom tools)||Syslog||Syslog (up to 4 servers) e-mail (2 addresses) NetIQ Webtrends SNMPv2 Traceroute||Syslog, local log, SNMP trap, e-mail, Global Management System (GMS)||Syslog||# tunnels||100||up to 10||max 100||50*||VPN 3DES speed (Mbps)||15.7Mbps||20Mbps||50Mbps||35Mbps||Target market||SOHO and Corporate Remote office||SOHO, SMB||Small- to mid- sized networks (up to 200 nodes)||SME||Other features||High-speed 150-MHz CPU for fast tunnelling throughput. True firewall with stateful packet inspection (SPI) and intrusion detection denial of service (DoS) attack protection.||Stateful firewall (2000 sessions), Network/Port Address Translation, IPSec NAT Traversal Redundant VPN Gateways VPN Tunnel Monitoring OSPF, BGP, RIPv2, Static Routes, and more||Enhanced OS (as supplied) provides wireless access with Sonic Points (IPSEC enforcable), Wireless Guest Services.Plus optionals.||Firewall anti-virus Policy enforcement intrusion detection/ prevention content filtering hardware add-on wireless LAN access point|
Web-based interface, ability to connect to other VPNs, number of trusted WAN and Ethernet ports.
Encryption support, number of VPN tunnels supported and speed, extra features, such as AV scanning.
What kind of functionality do you get for your money?
What is the duration of the service and availability from the vendors?
We tested the VPNs for the Scenario by setting up a network as follows:
- Client system A with address: 192.168.2.1
- crossover cable
- VPN device 1
- private address 192.168.2.254
- public address 126.96.36.199
- VPN Device 2
- private address 192.168.1.254
- public address 188.8.131.52
- crossover cable
- Server A with address 192.168.1.1
|Lots of small||37||30||31||37||33||23||27||28|
|Speed in Mbit/Sec||9.58||16.26||16.53||9.00||9.86||16.80||11.29||16.17|
We then created a VPN tunnel between the two networks with Network Address Translation (NAT) so that the clients could all see each other. The VPN was Triple DES SHA1. We then mapped a drive from Client A to Server A and transferred three file sets to the server to give a representation of the VPN speed in Mbits/sec. The Juniper NS25 was used as the head end.
Scenario: This company wants to use a standard Internet connection to connect to a supplier in order to integrate with the supplier's ordering systems.
Approximate budget: No limit.
Requires: A VPN appliance.
Concerns: The company has no control over the supplier's end of the connection, so interoperability with other vendors' products is vital. Security is very important as well as data throughput.
The results of our performance tests show SonicWall to be the fastest unit of the bunch. However, it was only marginally faster than the Juniper, Fortinet, and Watchguard products.
With not much in it in terms of throughput we suggest you look at what's most important to you like the number of tunnels, other features like content filtering, antivirus, and price.
Watchguard Firebox 1000
The winners of the scenario and Editor's Choice are Watchguard and Juniper. If we had an open budget we would go for the Watchguard Firebox 1000. It can serve the most tunnels, it has a great set of features including deep packet inspection, intrusion prevention, spam filtering, Web blocking, and gateway antivirus. It also performed well in our throughput tests.
The Sonicwall also deserves an honourable mention here as it was only narrowly beaten by the Watchguard. For more of an entry-level VPN device we recommend the Juniper. It's very cheap, it works well but it's limited to only 10 tunnels.
This article was first published in Technology & Business magazine. About RMIT IT Test Labs
RMIT IT Test Labs is an independent testing institution based in Melbourne, Victoria, performing IT product testing for clients such as IBM, Coles-Myer, and a wide variety of government bodies. In the Labs' testing for T&B, they are in direct contact with the clients supplying products and the magazine is responsible for the full cost of the testing. The findings are the Labs' own -- only the specifications of the products to be tested are provided by the magazine. For more information on RMIT, please contact the Lab Manager, Steven Turvey.