Remote Access

KoolSpan: Bridging The Secure Access Gap

Part 1: The Tools —continued

Integrating the parts
KoolSpan sells SecurEdge in two "kits"—an SE Kit for Small Enterprises, and an LE Kit for Large Enterprises.

We tested an SE Kit (MSRP $4,950) that includes one 5 Mbps Lock and 10 Client Keys / Client software licenses. The SE Lock is pre-provisioned to grant those 10 Client Keys access to one named network; additional Keys can be purchased in 10-packs for $1,250. The SE Kit also includes SecurEdge Manager software, capable of configuring a maximum of 2 Locks and 50 Client Keys. To use the Manager, the administrator must have the Master Key or a clone (backup copy) of the Master Key, also included.

The SE Kit can support small business or branch office networks with up to 100 users. For larger networks, the LE Kit (MSRP $9,950) contains two 30 Mbps Locks (one primary, one spare), 10 Client Keys / Client software licenses, and one Manager license with no hard limit on the number of Locks and Clients per network. According to KoolSpan, each 30 Mbps Lock can support up to 2048 Client Keys and 512 concurrent sessions.

The LE's capacity is roughly comparable to midsize VPN concentrators—for example, Cisco's VPN 3020 supports up to 750 IPsec clients at 50 Mbps.

During our evaluation, we tested Client-to-Lock tunneling, over wireless and wired networks, local and remote. An ISP might use SecurEdge in this fashion to secure admin access to equipment in remote (provider or customer) networks. SecurEdge could also be resold to subscribers as part of a managed service offering—for example, an alternative Managed Remote Access VPN service, or a managed Secure WLAN service.

We did not test it, but Lock-to-Lock tunnels enable secure bridging between LANs. An ISP could use SecurEdge Lock pairs to offer a managed Site to Site VPN service, or to create secure backhaul links between POP and NOC. Given the Lock's near-zero configuration, it is easy to see how Locks might be drop-shipped for turn-key installation in remote LANs. But it would be essential to deploy Locks only where full bridged LAN access was appropriate—unlike traditional VPNs, Locks do not apply IP or TCP filters.

Installing the Lock
To experience SecurEdge in action, we installed an SE Lock in our office network, inside our perimeter firewall. We punched a single inbound UDP port forward hole through our Internet firewall so that offsite users could connect to the Lock from several remote venues (hotel broadband and Wi-Fi hotspots).

In a typical install, the Lock's "LAN" port would be connected to a trusted LAN switch; and the Lock's "WAN" port would be connected to one or more wireless APs. For this review, KoolSpan supplied a self-contained demo kit containing a D-Link broadband router (connected to the Lock's LAN port) and a Netgear AP (connected to the Lock's WAN port). So we dropped the D-Link router on our trusted Intranet and conducted most local user testing through the Netgear AP (see figure, below).

KoolSpan ships each Lock pre-provisioned, so that anyone who installs Client software and inserts a matching Key can connect the Lock's upstream LAN without additional configuration. (Unprovisioned kits are available at no extra cost.) The SecurEdge Enterprise Manager is only required for making changes, like adding a second Lock, adding more Client Keys, or resetting an existing Client Key. We did not even install the Manager until we'd been using the Lock for several days. In short, dropping a pre-provisioned Lock into an existing LAN is no more difficult than installing an unmanaged Ethernet hub or AP. How many VPN gateways can you say that about?