VPN

VPN RFP Lab Eval: RapidStream Products As Tested The Platforms Building The Network Managing RapidStream Security Appliances Discovery and Setup using RSM

by Lisa Phifer VP Core Competence, Inc. [November 8, 2001]

Earlier this year, ISP-Planet launched a VPN Review Series, evaluating customer premise equipment (CPE) for ISP deployment to broadband-enabled businesses of 10-200 employees. Using RFP responses to narrow our search, we initiated lab evaluations. By testing each proposed solution, we hoped to compare and contrast each vendor's offering.

Here, we publish our second set of results, evaluating two RapidStream Security Appliances (RSSAs). The RSSA 2000 is a VPN concentrator or edge firewall for small-to-medium businesses. The RSSA 1000 is a compact firewall/VPN appliance for branch offices. Both can be provisioned from a Network Operation Center (NOC) using RapidStream's Central Policy Management System (CPM).

The Platforms
The tested products represent a subset of RapidStream's solution for RFP Scenario No. 3: a distributed business with 200 employees—100 at headquarters, 4 branch offices, 50 mobile users. We evaluated the following configuration (below left).

At our headquarters, (HQ) we installed the RSSA 2000 for just under $5,000, a 1U device with three 10/100 Ethernet ports. Originally sold as the RSSA 4000, the renamed RSSA 2000 supports 8000 concurrent Transmission Control Protocol (TCP) sessions and 400 Internet Protocol Security (IPsec tunnels). It includes 50 Virtual Private Network (VPN) client licenses. This unit is based on the "RapidCore" Network Policy engine, a programmable Application Specific Integrated Circuit (ASIC) with five embedded processors—a main Central Processing Unit (CPU) and four Reduced Instruction Set Computer (RISC) chips designed to accelerate VPN, load balancing, Quality of Service (QoS), and Network Address Translation (NAT).

At our "branch office", we installed the RSSA 1000 for just under $2,000. This 7.5" x 4.5" x 1" metal enclosure contains three 10/100 Ethernet ports—two for data, one for high-availability synchronization. The RSSA 1000 supports 2000 concurrent TCP sessions and 30 IPsec tunnels. It includes 5 VPN client licenses.

RapidStream did not supply a test unit for their "teleworker" solution, the RSSA 500 for about $700. This entry-level two-port appliance for telecommuters with broadband access did not start shipping until mid-September, after our eval start date. The RSSA 500 supports 1000 sessions and 10 IPsec tunnels.

According to specs, the RSSA 2000 firewalls up to 240 Mbps (cleartext) or 100 Mbps (3DES-encrypted). The RSSA 1000 handles 200 Mbps (cleartext) or 50 Mbps (3DES-encrypted). Vendor specs are useful for in-family comparison (e.g., the 2000 encrypts twice as much as the 1000). However, real-world VPN performance is affected by many factors, including the number of policies, concurrent sessions, Maximum Transmission Unit (MTU) size, and packet size. For example, encrypted throughput drops when SHA-1 auth is added. In Tolly tests, RapidStream's top-of-the-line 8000 encrypted 1518-byte packets at 620 Mbps, dropping to 80 Mbps with 64-byte packets. As the saying goes, "Your mileage may vary." Always confirm expectations by running benchmarks in the target network, using actual policies and customer workloads.

(Back to Top)

Building The Network
We connected the "public port" of both units to a shared hub with Internet access, assigning each a static public IP address. "Private ports" were connected to non-overlapping private subnets, hidden behind NAT.

To complete our test network, a public web server was placed on the HQ unit's DMZ. We tapped an Interlink Authentication, Authorization, and Accounting (AAA Engine) on the HQ subnet for Remote Authentication Dial-In User Service (RADIUS) authentication. Digital certificates were issued and signed by a private Microsoft CA, located offsite at OpusOne.

On our "traveler" laptop, we installed the RapidStream VPN Client v5.0.2, an OEM of SafeNet's Win32 client. Fifty-five client licenses were included with the tested products—additional clients can be purchased for $75 each. VPN clients were tested over Ethernet and analog dial, using pre-shared secrets and certificates, with and without RADIUS authentication.

(Back to Top)

Managing RapidStream Security Appliances
RSSAs are managed by Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) commands, but are not administered from a browser. Instead, every appliance ships with RapidStream Manager (RSM), a Java app for Win32, Solaris, and Linux that provides single-point administration of any RSSA.

We also installed RapidStream's Centralized Policy Management system (CPM) v3.0 ($4995 for 10 devices, upgradeable to 1000 devices). CPM uses a client/server architecture. A central CPM Server must be installed on a protected PC Windows NT4 SP6a, 128 MB RAM, and 50 MB of disk or better. CPM Clients provide GUI access to the Server's database; they can be installed on any Windows 98, NT, or 2000 PC with 64 MB RAM and 10 MB disk. We installed RSM and CPM on the same Win2000 PC inside our HQ Local Area Network (LAN) and had no trouble using them concurrently, given enough random access memory (RAM).

A default policy permits HTTPS to the RSSA's private interface. We recommend fine-tuning this policy—for example, letting CPM use HTTPS to the public interface. Authentication is based on login/password. Using RSM, one "super admin" can edit the RSSA's configuration; other regular "admins" can check or clear alarms. CPM accounts have broader reach, with finer granularity. Policy, account, and alarm privileges are applied to groups, which are in turn applied to CPM accounts (right). For example, an ISP might manage all devices with a CPM provisioning account and a CPM monitoring account, giving each customer a "read only" RSM admin account on his own device.

In a pinch, RSSAs can be administered from a full-function client link interface (CLI), handy for configuration fixes and troubleshooting (See Diagnostics and Logging). It can even be used to configure policies, although the syntax is complex. The CLI can be reached remotely via SSH1/2, Telnet, or a modem connected to the serial port. In keeping with the credo "that which is not explicitly permitted is denied", policies must be added to allow Telnet or SSH. Furthermore, a faceplate light emitting diode (LED) and alarm lets you know when an administrator logs on. RapidStream does a good job of enabling remote administration without leaving the door wide open. One gotcha: because the RSSA does a reverse lookup on Telnet clients, Telnet access can take 3-4 minutes to connect when the admin IP isn't resolvable or Domain Name System DNS isn't reachable. This is not a problem with Secure Shell (SSH) or HTTPS access.

(Back to Top)

Discovery and Setup using RSM
Initially, we used RSM to configure our RSSAs. Setup does not require changing the PCs address or using the CLI. Instead, RSM discovers any unconfigured RSSA on local LAN segment. For each discovered device, RSM can set the IP address or (re)load a previously-configured profile (left). This approach makes initial setup, restoration, and cloning fairly easy.

On first login, RSM launches an Install Wizard (right). The Wizard accepts the usual addressing parameters, a default firewall policy (permit outbound, deny inbound except ping), and Denial of Service (DoS) thresholds (See Keeping Hackers At Bay). This Wizard offers little handholding. Experienced admins will breeze right through but, even with the 60-page Install Guide, network newbies may be overwhelmed. When selling to small businesses, ISPs may want to ship a configured unit, supply a setup "cheat sheets," or assist with on-site installation.

RSM is organized into three sections: Activities, Policy, and Administration (left). Administration panels control parameters initialized by the Wizard, administrative accounts, backup/restore, software upgrade, and shutdown/reboot.

RSM supports software version upgrade—and downgrade to any previously-installed version and config. Our RSSAs arrived with v3.0.2 so we upgraded to v3.0.2-1, then downgraded and (re)upgraded without a hitch. Configurations are backed up in binary format—and exported in readable, parsable Extensible Markup Language (XML) format. These maintenance features are robust, with one caveat: certificates and key pairs are not included in either backup format. This complicates field replacement. Although reloading a backup is trivial, device certificates need to be reissued and reapplied to restored policies.

—End Part One—
Firewall Configuration, Setup and Remote Access >